Network 

Behavior 

Analysis 

PAGE  20 

Mobile 

Security 

Trends 

PAGE  36 

Europe  and 
the  ll.S. 

PAGE  38 


Dollars  Cents 


s/Jhfymr/. 


CHANGE? 


Cash,  cards,  merchandise 


of  sale.  Are  your 
defenses  up  to  date? 

PAGE  24 


November  2008  $9.00  www.csoonline.com 


The  latest  and  greatest  in 

online  security. 

Also  the  greenest. 


Get  visible  site  security  from  the  company  your  customers  trust. 


(^)  https://www.overstock.com/checkout 


Hi  Identified  by  VeriSign 


It’s  simple:  a  green  bar  means  your  site  is  secure.  For  your  customers,  this  means  they  can 
trust  their  Web  experience.  It’s  all  done  through  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates,  which  verify  and  visually  represent  the  authenticity  and  security  of  Web  sites. 
This  protects  you  and  online  customers.  Combine  visitor  confidence  with  the  strongest 
encryption  available  to  each  site  visitor  to  maximize  your  site's  overall  security  profile. 


Get  your  free  white  paper,  The  Latest  Advancements  in  SSL  Technology, 
at  www.verisign.com/cso  or  call  1-866-893-6565  or  1-650-426-5115. 


t>2008  VeriSign.  Inc.  All  rights  reserved.  VeriSign.  the  VeriSign  logo,  the  Checkmark  Circle  logo,  VeriSign  Secured  logo,  and  other  trademarks,  service  marks,  and  designs  are 
registered  or  unregistered  trademarks  of  VeriSign,  Inc.,  and  its  subsidiaries  in  the  United  States  and  foreign  countries,  All  other  trademarks  are  property  of  their  respective  owners. 


November  2008  V0I.7,  No.  9 


Features... 


24  Point  of  Steal 

Cover  Story  I 
Loss  Prevention 

Cash  registers  and  point-of-sale 
devices  have  always  been  tar¬ 
geted  for  theft.  And  now  they’re 
more  complex  than  ever. 

By  Michael  Fitzgerald 

28  The  Good 
News,  the  Bad 
News 

Global  Security  Survey 

You’ve  beefed  up  your  IT  secu¬ 
rity  arsenal,  and  you’re  focused 
on  compliance.  But  you’re  still 
vulnerable.  Here’s  why. 

By  Kim  5.  Nash 


Also  Inside... 


2  From  the  Editor 
4  From  the  Publisher 

6  Join  the  Discussion 

CSOonline  readers  discuss  a 
vulnerability  assessment  gone 
awry  and  business  continuity 
event  management. 

9  Briefing 

■  Internet  apocolypse:  the 
sequel 

■  Inside  OSAC’s  race  against 
terrorism 

■  Risk  management  spending 

■  What  the  financial  meltdown 
means  for  security 

■  Scareware’  pushers 

■  Security  wisdom  watch 

■  Flawed  terror  threat  system 

■  Securing  academia 


20  Toolbox 

Toward  a  Well-Behaved 
Network  Network  behavior 
analysis  tools  can  help 
tune  operations  as  well  as 
improve  security.  Here  are 
five  tips  for  getting  the  job 
done.  ByBobViolino 

36  Industry  View 
Five  Mobile  Security 
Trends  Keeping  CIOs 
up  at  Night  The  pace  of 
mobilization  within  many 
enterprises  is  increasing 
rapidly.  By  Matt  Bancroft 

38  CSO  View 
The  One-Way 
Mirror  Europeans  regard 
quality  management 
requirements  as  an  integral 
part  of  security.  By  Paul  Raines 

40  Debriefing 

Investment  bank 
CEO  versus  CSO 


CSO(ISSN1540-904X)ispublishedmonthlyexceptforacornbinedissueinJuly/AugustandDecember/JanuarybyCXOMedialnc.,4920ldConnecticutPath,P.O.Box9208.Framingham,lvlA01701-9208.PeriodicalPostageRateat 
Framingham,  MA  01701,  and  at  additional  mailingoffices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.Box  1632,  Windsor,  ON  N9A7C9.Copyright2008  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduct  ion  of  material  appearingin  CSO  isforbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  useorthe  internal  or  personal  use  of  specific  clients  isgranted 
by  CSO  for  users  through  the  Copyright  Clearance  Center,  provided  that  afee  of  $3.50  per  copy  of  the  article  is  paid  directly  toCopyright  Clearance  Center,  222  Rosewood  Drive,  Danvers.  M  A  01970.  www.copyr/g/if.com.Pleasespecify: 
ISSN  1540-904x.  Permission  to  photocopy  doesnot  extend  to  contributed  artides-followed  by  this  symbol:  t  Address  inquiries  to  CSO.  P.O.Box  3482,  Northbrook,  IL60065;  866  354-1125.  CSO  isfree  to  qualified  security  executives. 
Toallotherstheone-yearbasicrateis$70forthe  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  The  single  copy  price  is  $9to  the  U.S.  and  Canada  and  $15  International.  Please  allowfourtosixweeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook.  IL  60065.  Printed  in  the  USA. 


Cover  Illustration  by  Jonathan  Barkat 


November  2008  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


Turning  Points 

I  wanted  very  much  to  write  a  column  about 
how  we’ve  reached  a  turning  point  regard¬ 
ing  application  security. 

It  wasn’t  that  I  thought  one  particular 
cataclysmic  event  has  changed  our  course  for 
the  better.  Rather,  it  was  an  accumulation  of 
smaller  observations  and  developments. 

Writers  and  bloggers  like  Jeremiah  Gross- 
man,  Hugh  Thompson,  Gary  McGraw  (and 
many  others)  have  done  great  work  shedding 
light  on  the  topic. 

OWASP,  the  open  Web  application  security 
project,  has  established  chapters  around  the 
world,  and  its  Top  Ten  Vulnerability  list  is  ever 
more  widely  disseminated. 

(ISC)2  recently  set  forth  a  new  certification 
covering  application  lifecycle  security  issues. 

Both  source-code  analysis  tools  and  appli¬ 
cation  vulnerability  scanners  and  services  can 
help  find  flaws  on  either  end  of  development 
and  deployment.  These  technologies  are 
maturing  quickly. 

And  if  there  is  a  big  one,  it  would  be  the 
application  security  requirements  in  version 
6.6  of  the  PCI  Data  Security  Standard,  which 
went  into  effect  this  past  June  and  essentially 
calls  for  you  to  use  the  two  approaches  men¬ 
tioned  in  the  preceding  paragraph  (if  not  both). 

That’s  a  good  bit  of  app  sec  activity.  Taken 
together,  I  thought,  maybe  it  constitutes  a 
quorum  of  some  sort?  Alas,  as  I  tried  to  kindle 
the  flames  of  a  warm  and  fuzzy  analysis  of 
these  signs  of  progress,  James  McGovern 
was  standing  by  with  a  bucket  of  cold  water. 
McGovern  is  leader  of  the  Hartford  chapter  of 
OWASP.  His  simple  response  to  my  hypothesis: 
“I  think  the  black  hats  are  winning." 


McGovern  gives  three  reasons.  One,  com¬ 
panies  tend  to  work  toward  consensus,  which 
takes  time.  Even  if  an  application  security 
vulnerability  becomes  visible  to  attackers 
and  defenders  at  the  same  time,  he  argues, 
the  attackers  are  much  quicker  on  the  draw 
while  the  defenders  go  through  the  process 
of  discussion  and  prioritization.  Two,  he  says 
outsourced  application  development  creates 
some  obstacles;  offshore  shops  in  particular 
are  governed  by  the  rule  of  margins,  so  they 
are  discouraged  from  adding  security  steps 
(and  therefore  time,  and  therefore  cost)  to  the 
development  process. 

Reason  three  is  a  bit  of  a  kick  in  the  seat  of 
the  pants:  McGovern  says  that  technical  secu¬ 
rity  is  “a  hard  thing  to  participate  in  for  non¬ 


technical  people,”  and  that  the  proliferation  of 
CIOs  with  nontechnical  backgrounds  has  made 
it  harder  to  communicate  technical  risk. 

Can’t  wait  to  hear  from  CIOs  on  that  one. 
Actually,  I’d  argue  that  reason  three  is  really 
a  problem  with  the  communication  skills  of 
technical  security  people;  the  world  isn’t  going 
to  grind  to  a  halt  so  everyone  can  learn  the 
ins  and  outs  of  SQL  injection  and  cross-site 
request  forgery,  so  the  security  community  is 
going  to  have  to  keep  working  on  nontechni¬ 
cal  analogies  and  other  ways  of  explaining 
problems. 

But  at  any  rate,  perhaps  McGovern  is  right, 
and  we  haven’t  hit  an  inflection  point.  Yet. 

What  do  you  think  it  will  take? 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Associate  Copy  Editor 
Kristin  Burnham 

Editorial  Assistant  Jarina  D’Auria 
Editorial  Administrator 
Simone  Levien 
Contributors 

Matt  Bancroft,  Scott  Berinato, 
Michael  Fitzgerald,  Gregg  Keizer, 
Robert  McMillan,  Kim  S.  Nash, 
Paul  Raines,  Patrick  Thibodeau, 
Jaikumar  Vijayan,  Bob  Violino 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 


RESEARCH 

Research  Manager  Carolyn  Johnson 

CXO  MEDIA/IDG 

COO  Matt  Smith 
CSO  Robert  Hayes 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 


EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 


492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number:  508  872-0080 


CXOXMEDIA  INC. 


INTERNATIONAL  DATA  GROUP 


Chairman  of  the  Board 

Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO 

Bob  Carrigan 


^?BPA 


WORLDWIDE" 


2  www.csoonline.com 


November  2008 


Photo  by  Webb  Chappell 


What  would  you  pay 
for  this  USB  stick? 


Some  would  pay 

BILLIONS 


Everyday  you  read  about  some  company’s  intellectual  property  stored  on  a  portable  storage  device 
that  is  either  lost  or  stolen.  With  Lumension’s  Data  Protection  Solution  you  know  who  is  accessing  your 
company’s  data  and  with  what  devices.  Don’t  wait  to  find  out  how  much  someone  would  pay  for  your 
information.  Get  Proactive.  Get  Lumension. 

Learn  more  about  data  protection  misconceptions  and  how  Lumension  Security’s 
Data  Protection  Solution  can  protect  your  data  by  downloading  the  whitepaper  at 
www.lumension.com/security-tip-22  or  for  a  FREE  30  DAY  TRIAL  call  us  at  1.888.970.1025 


Vulnerability  Management  /  Endpoint  Security  /  Data  Protection  /  Compliance 


|Th  Lumension 


SECURITY. 


15880  N.  Greenway-Hayden  Loop,  Suite  100  /  Scottsdale,  AZ  85260  /  1.888.970.1025  /  www.lumension.com 
©  Copyright  2008,  Lumension  Security™,  Inc.  All  Rights  Reserved. 


1 


[  FROM  THE  PUBLISHER  ] 


Does  Size 
Matter? 


I  recently  had  the  opportunity  to  sit  down 
with  several  groups  of  security  and  technol¬ 
ogy  executives  from  small  and  midsize 
businesses  (SMBs)  to  get  a  better  sense  of 
how  they  manage  risk  in  their  enterprises  with 
limited  budgets  and  resources.  The  challenge 
of  managing  security  in  the  SMB  requires  a 
special  skill  set.  They’re  working  with  smaller 
budgets,  smaller  staffs  and  often  a  more 
challenging  environment  in  which  to  sell  the 
value  of  security  to  senior  leadership  in  their 
business.  That  doesn’t  mean,  however,  that 
there  are  not  commonalities  that  are  shared 
with  their  peers  at  large  enterprises. 

They  understand  security  best  practices 
very  well.  But  often  they  must  adjust  those 
practices  in  an  environment  of  constrained 
resources.  What  is  most  often  sacrificed  is 
any  extensive  attempt  to  adopt  a  strategic, 
proactive  approach  to  security.  At  even  some 
of  the  largest  of  enterprises,  I  find  that  broad- 
based  strategy  and  proactive  approaches  to 
security  fall  victim  to  putting  out  the  daily  fires 
that  constantly  erupt.  So  in  that  way,  our  SMB 
brethren  aren’t  so  different  from  their  larger 
corporate  cousins. 

But  when  I  look  at  the  market  research,  I 
get  a  sense  of  the  disparity  between  large 
and  small.  In  this  issue  of  CSO,  Kim  Nash  has 
done  a  great  job  of  delving  into  the  results  of 
the  2008  Global  State  of  Information  Security 
survey  that  CSO  conducts  in  partnership  with 
PricewaterhouseCoopers  and  CIO  magazine. 
The  survey  shows  that  security  and  privacy 
best  practices  achieve  far  lower  rates  of  adop¬ 
tion  in  the  SMB  in  comparison  to  larger  enter¬ 
prises.  When  compared  with  large  enterprises, 
they  are  far  less  likely  to: 

■  have  an  overall  information  security 
strategy, 

■  conduct  regular  risk  assessments, 


■  have  a  person  responsible  for  privacy  in 
their  organization, 

■  have  an  accurate  inventory  of  where  their 
data  is  stored, 

■  conduct  due  diligence  of  the  third-party 
companies  that  handle  personal  data  of 
their  customers  and  employees, 

■  use  encryption  technologies, 

■  employ  a  CSO  or  other  individual  with 
executive-level  responsibility  for  risk 
management 

and  soon... 

This  clearly  reflects  the  impact  of  budget 
and  staffing  on  a  good  security  program,  but 
also  awareness  at  an  executive  level.  Risk  is 
a  relative  thing,  and  all  businesses  share  a 
vulnerability  to  the  common  kinds  of  threats. 
What  varies,  however,  is  how  those  threats 


impact  an  organization  and  how  much  risk  the 
organizations  are  willing,  or  able,  to  accept. 
Ultimately  those  decisions  rest  with  the  corner 
office,  but  it  would  be  a  mistake  to  assume 
that  the  CEO  understands  all  of  the  threats 
your  business  faces  on  a  daily  basis.  As  I  often 
mention  here,  make  sure  you  sell,  sell,  sell  the 
value  of  security  to  your  bosses. 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 

CA  Inc . C4 

CXO  Media  Inc . 15, 19, 23, 39 

Diebold  Inc . 11 


Garda . 5 

HIDCorp . C3 

(ISC)2 . 8 

Lumension  Security . 3 


RSASecuritylnc . . .  .13 

SecureWorks . 17 

Solidcore  Systems . 35 

Verisign  Inc . C2 


President  and  CEO 
Michael  Friedenberg 
Publisher  Bob  Bragdon 
Senior  Ad  Sales  Associate 
Christine  McKay 
East  Coast  Regional  Manager 
Roz  Burke 

Regional  Sales  Manager  Matt  Knuth 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

Vice  President,  Online  Sales 

Brian  Glynn 

Online  Regional  Sales  Manager 
Richard  Hartman 
Online  Regional  Sales  Manager, 
West  Coast  Erika  Karr 
Online  Regional  Sales  Manager, 
Midwest  Sarah  Gaskin 
Manager,  Online  Account  Services 
Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Tara  Shea 
Online  Advertising  Specialist 
Barbara  Sullivan 
Online  Sales  Associate 
Erin  Sullivan 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Matt  Avery 
National  Sales  Director 

Adam  Dennison 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 
Associate  Production  Manager 
Lisa  M.  Stevenson 

EXECUTIVE  PROGRAMS 

VP,  Executive  Programs 

Ellen  Daly 

Director,  Event  Marketing 

Mary  Conroy 

Director,  Event  Operations 
Deb  Begreen 

Editorial  Director  Maryfran  Johnson 
National  Sales  Manager 
Per  Melker 

Eastern  Regional  Sales  Manager 
Sarah  Moon 
Sales  Associate 
Lauren  Costello 
Event  Planner  Sarah  Reagan 
Event  Planner/Client  Relations 
Laura  Biringer 

Registration  Specialist  Cress  O’Brien 
Marketing  Specialist  Kristin  Gallo 
Client  Services  Specialist  Erica  Foster 

LIST  SERVICES 

Contact  Paul  Capone  of 
IDG  List  Services  at  508  370-0865  or 
pcapone@idglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  150, 
cso@theygsgroup.com 


4  www.csoonline.com  November  2008 


Photo  by  Christopher  Navin 


Vance  Uniformed  Protection  is  now  Garda 

A  new  name  for  the  security  team  you  know  &  trust 


For  decades,  Fortune  500  corporations  and  sensitive  government 
agencies  alike  have  trusted  Vance  Uniformed  Protection  to  secure 
personnel,  property  and  assets.  Strict  screening  produces  quality 
security  officers.  Rigorous  training  and  supervision  requirements  yield 
consistent,  reliable  services  that  reduce  risk  and  deter  criminal  activity. 
Now  part  of  Garda,  Vance  Uniformed  Protection  continues  to  deliver 
unsurpassed  value,  maximizing  client  budgets  by  offering  superior 
security  programs  at  a  competitive  price. 


In  fact,  only  our  name  has  changed.  The  same  men  and  women — 
from  the  company’s  seasoned  management  team  to  its  experienced 
security  officers — provide  exceptional  value  and  service  with  a  total 
commitment  to  quality,  day  in  and  day  out. 

Under  the  Garda  name,  Vance  Uniformed  Protection  experts 
continue  to  protect  your  people  and  assets.  We  use  the  same 

screening,  training,  employee-retention  programs  and  the  same 
quality-assurance  standards  to  deliver  the  service  consistency 
and  peace  of  mind  that  you  have  come  to  expect. 


GARDA 


Contact  our  experts  at  800.533.6754  or  info@gardasecurity.com 
to  upgade  your  security  program,  gardasecurity.com 


FORMERLY  VANCE 


What’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 


EXECUTIVE  COMMUNICATION 

A  CEO’s  Tale  of 
Disappointment 

A  vulnerability  assessment 
gone  awry 

met  the  CEO  of  a  holding  company 
on  a  recent  flight  to  North  Carolina. 
Our  conversation  started  on  the 
topic  of  my  “Art  of  War”  column. 

The  column,  I  explained,  is  focused 
on  sharing  Sun  Tzu’s  insights  on  strategy 
with  information  security  practitioners.  At 
first  he  was  silent,  but  I  could  tell  some¬ 
thing  was  wrong.  Moments  passed  before 
he  related  a  shocking  risk  assessment 
experience  his  firm  had. 

After  the  recent  inclusion  of  the  fourth 
company  into  their  holdings,  the  need  for 
a  risk  assessment  was  evident.  Many  of 
their  companies  conducted  business  on 


wireless  networks  and  all 
of  them  accepted  online 
payments.  Their  networks 
held  critical  data  about 
their  investors  and  custom¬ 
ers.  Additionally,  data  was 
shared  between  the  mem¬ 
bers  of  the  equity  firm. 

The  assessment 
process  was  a  negative 
experience  for  the  firm. 

The  IT  infrastructure  was 
the  focus  of  the  assessment. 
The  business  processes 
that  this  infrastructure 
supported  received  little  to 
no  attention.  To  add  insult 
to  injury,  the  assessment  team  recom¬ 
mended  changes  in  business  practices 
based  solely  on  their  study  of  the  infra¬ 
structure.  In  the  end,  the  risk  assessment 
was  rejected.  Worst  of  all,  this  negative 
experience  influenced  the  view  of  manage¬ 
ment  related  to  security  consultants. 

After  hearing  his  tale,  I  inquired  on 
what  advice  he  would  give  me  as  an  IT 
auditor.  Here  are  some  of  the  highlights 
from  his  reply. 

Learn  the  business  first.  An  accurate 
risk  profile  can  not  be  discerned  without 
understanding  the  environment  in  which 
the  risk  resides.  Every  aspect  of  the  enter¬ 
prise  must  be  examined. 

Involve  the  management  team.  The 
management  team  must  be  kept  in  the 
loop.  A  communication  plan  must  be 
established  and  followed.  Management 
can  be  part  of  the  solution. 

Speak  our  language.  The  lexicon  of  a 
business  person  differs  from  that  of  the 
security  practitioner.  They  speak  in  the 
language  of  accounting,  management  and 


marketing.  Our  focus  is  on  the  protec¬ 
tion  of  information  assets  at  a  granular 
level.  We  must  realize  that  each  camp  is 
concerned  with  the  confidentiality,  integ¬ 
rity  and  availability  of  those  assets  to  the 
business  and  its  customers.  We  must  work 
to  develop  a  common  communication 
framework. 

The  biggest  takeaway  I  had  as  I  walked 
off  the  plane  was  the  power  of  impressions. 
The  failure  of  one  consulting  firm  infected 
the  perspective  of  an  entire  organization. 
Given  the  CEO’s  story,  I  fear  that  other 
organizations  may  hesitate  in  seeking 
out  security  expertise.  I  hope  that  this 
posting  serves  as  a  cautionary  tale  to  other 
professionals. 

-Steve  Fox 

BC/DR 

Business  Con¬ 
tinuity  Event 
Management- 
an  Overview 

The  purpose  of  business 

continuity  event  management 
(BCEM)  is  reduction  of  harm  to 
employees,  customers,  inves¬ 
tors  and  the  business  when 
an  unexpected  business  interruption— a 
business  continuity  event  (BCE)— occurs. 
In  this  post,  I  provide  an  overview  of  how 
to  manage  a  BCE.  In  future  posts,  we’ll 
incrementally  expand  this  high-level  view 
into  a  BCEM  plan. 

When  responding  to  a  catastrophic 


6  www.csoonline.com  November  2008 


Phot  by  iStockphoto.com 


BCE,  the  first  consideration  is  protection 
of  human  life.  Although  we’ll  address  this 
in  our  plan,  most  of  our  focus  will  be  on 
managing  the  smaller  events  which  hap¬ 
pen  much  more  frequently. 

The  second  consideration  is  the 
restoration  of  information  processing  ser¬ 
vices.  Finally,  we  need  to  mitigate  people, 
process  or  technology  weaknesses  that 
enabled  the  event— the  root  causes. 

BCEM,  which  effectively  addresses 
these  areas,  produces  the  following  ben¬ 
efits  for  the  organization: 

1.  The  business  impact  of  each  incident 
is  minimized. 

2.  Human  safety  is  addressed. 

3.  Corporate  liability  due  to  lack  of  due 
diligence  is  mitigated. 

4.  Regulatory  requirements  are  met. 

5.  The  organization’s  public  image  is 
protected  by  a  fast,  professional  response. 

Meeting  these  objectives  requires  a 
process-based  approach  (including  the 
following  five  steps): 

Prepare.  Optimal  business  mitigation 
is  rarely  possible  unless  the  organiza¬ 
tion  plans  for  probable  events.  Prepara¬ 
tion  includes  development  of  manual 
processes,  implementation  of  redundant 
systems,  documentation  of  mitigation 
and  recovery  plans,  and  training  key 
personnel. 

Detect.  Early  detection  of  a  service 
interruption  helps  minimize  harm.  Detec¬ 
tion  tools  and  techniques  are  a  critical 
element  of  a  BCEM  strategy. 


Contain  and  mitigate.  Upon  detection, 
the  response  team  should  act  as  planned 
during  the  “prepare”  step  to  either  quickly 
recover  the  failed  process  or  system,  or 
implement  interim,  mitigating  processes. 
For  example,  the  loss  of  an  order  entry 
system  might  result  in  telephone  sales 
staff  moving  to  paper-based  order  taking 
to  continue  accepting  customer  purchases. 

Analyze.  Once  service  is  restored  or 
mitigated,  an  analysis  of  the  event  pro¬ 
vides  understanding  of  root  cause  as  well 
as  possible  issues  with  containment  and 
mitigation  processes.  Even  if  the  service 
is  still  down,  the  recovery  team  should 
take  the  time  to  identify  root  causes  before 
attempting  remediation.  Addressing 
symptoms  instead  of  the  disease  results  in 
inevitable  recurrences  of  the  event. 

Remediate  and  measure.  Using 
information  collected  in  the  analysis  step, 
the  recovery  team  uses  an  action  plan 
to  remove  root  causes  and,  if  necessary, 
restore  full  system  operation.  They  should 
then  monitor  and  measure  the  effective¬ 
ness  of  their  remediation  steps. 

Results  of  this  process  provide 
feedback  to  employees  responsible  for 
preparation  activities.  Lessons  learned, 
especially  during  incident  and  response 
root-cause  analysis  in  the  “analyze”  step, 
are  integrated  into  detection,  containment 
and  mitigation  documentation.  It’s  also 
necessary  to  change  recovery  team  train¬ 
ing  to  account  for  differences. 

-Tom  Olzek 


HOWTO 

REACH 

US 


You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 

dslater@cxo.com 

508  935-4213 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 

Joan  Goodchild,  Senior  Editor 

jgoodchild@cxo.com 

508  988-7994 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS  Group, 
800  290-5460,  ext.  150, 
cso@theygsgroup.com 


MORE  ON  THE  WEB 

Security  Deep-Dives 

Need  depth?  See  The  Case  Study  Collection 

(' www.csoonline.com/article/455381 )  for  a  round-up 
of  peer  challenges  and  solutions.  Need  numbers? 

The  Security  Metrics  Collection  {www 
csoonline.com/article/455463 )  will  guide  you 
through  financial  and  operational  methods  to 
measure  and  improve  your  efforts. 


November  2008  www.csoonline.com  7 


In  this  black  and  white  world  of  infosecurity, 
there’s  still  one  company  that’s  measured  by  the  intangible 


INTEGRITY 


60,000  members  worldwide. 

20  years  of  experience  in  information  security. 

6  ANSI/I  SO/I  EC  Standard  17024  accred  ited  certifications  programs, 
1  globally  accepted  Code  of  Ethics. 


And  an  uncommon  goal  toward  professionalism,  dedication  and  perseverance 


integrity  to  your  resume  with  (ISC)2®  certifications, 

www.isc2.org/integrity 


SECURITY  TRANSCENDS  TECHNOLOGY 


“The  current  system  to  identify  terrorist  threats  has  been  crippled  by 
technical flaws  [that]  will  leave  our  country  more  vulnerable”  Page  10 


Edited  by  Bill  Brenner 


Internet 

Apocalypse: 

The  Sequel 

The  apocalyptic  warnings  over  this  sum¬ 
mer’s  DNS  flaw  had  barely  died  down 
when  a  new  volley  of  doomsday  warnings 
erupted  over  yet  another  major  attack 
technique. 

This  time,  the  threat  is  called  clickjacking 
and  it  threatens  all  the  major  browsers,  from 
Internet  Explorer  and  Firefox  to  Safari  and 
Opera. 

Robert  Hansen,  one  of  the  two  security 
researchers  who  first  raised  the  warning  about 
clickjacking  in  late  September,  says  there  are 
at  least  six  different  flaws  that  could  allow  the 
bad  guys  to  go  on  a  clickjacking  rampage. 

Although  the  threat  has  been  associated 
with  browsers,  the  problem  is  actually  much 
deeper,  says  Hansen,  founder  and  chief  execu¬ 
tive  of  SecTheory. 

Clickjacking  is  similar  to  cross-site  request 
forgery,  a  known  type  of  vulnerability  and 
attack  that  sometimes  goes  by  CSRF  or 
“sidejacking.” 

But  clickjacking  is  different 
enough  that  the  current  anti- 
CSRF  security  provisions  built 
into  browsers,  sites  and  Web 
applications  are  worthless. 

“At  a  high  level,  almost  everyone  is  affected 
by  it,”  Hansen  says.  “The  problem  is  that  a  lot 
of  people  who  spent  a  lot  of  time  defending 
[against  cross-site  request  forgery]  didn’t  see 
this  coming.  This  works  completely  differ¬ 
ently,  and  has  much  wider-reaching  issues. 
[Attackers]  can  get  users  to  click  a  button  [in 
clickjacking]  where  they  may  not  be  able  to  get 


them  to  click  a  button  in  JavaScript.” 

Hansen’s  research  partner,  Jeremiah 
Grossman,  chief  technology  officer  at  White- 
Hat  Security,  explains  how  attackers  could 
exploit  clickjacking  vulnerabilities: 

“Think  of  any  button  on  any  website, 
internal  or  external,  that  you  can  get  to  appear 
between  the  browser  walls,”  Grossman  says. 
Wire  transfers  on  banks,  Digg  buttons,  CPC 
advertising  banners,  Netflix  queue,  etc.  The  list 
is  virtually  endless,  and  these  are  relatively 
harmless  examples. 

“Next,  consider  that  an 
attack  can  invisibly  hover 
these  buttons  below  the  users’ 
mouse,  so  that  when  they  click  on 
something  they  visually  see,  they 
actually  are  clicking  on  something 
the  attacker  wants  them  to.” 

Hansen  seconded  Grossman’s  example 
with  one  of  his  own: 

“Say  you  have  a  home  wireless  router  that 
you  had  authenticated  prior  to  going  to  a 
[legitimate]  website.  [The  attacker]  could  place 
a  tag  under  your  mouse  that  frames  in  a  single 
button  an  order  to  the  router  to,  for  example, 


delete  all  firewall  rules.  That  would  give  them 
an  advantage  in  an  attack.” 

Hackers  would  not  need  to  compromise  a 
legitimate  site  in  order  to  conduct  a  clickjack¬ 
ing  attack  underneath  it,  Hansen  adds. 

There  are  several  possible  solutions  to 
the  clickjacking  problem,  but  only  one  makes 
sense.  “The  only  people  who  can  fix  this  in 
a  scalable  way  are  the  browser  vendors,” 
Hansen  says. 

He  and  Grossman  have  been  in  contact 
with  Microsoft,  Mozilla  and  Apple,  the  mak¬ 
ers  of  Internet  Explorer,  Firefox  and  Safari, 
respectively. 

Together,  those  companies’  programs 
account  for  more  than  98  percent  of  all  brows¬ 
ers  used  between  late  August  and  late  Septem¬ 
ber,  according  to  data  from  Net  Applications. 

Adobe  Flash  is  also  at  risk. 

There  are  indications  that  the  vendors  are 
taking  this  one  seriously. 

Adobe  Systems  warned  users  in  early  Octo¬ 
ber  that  hackers  could  use  clickjacking  tactics 
to  secretly  turn  on  a  computer’s  microphone 
and  Web  camera. 

“This  potential  clickjacking  browser  issue 
affects  Adobe  Flash  Player’s  microphone  and 
camera  access  dialog,”  admits  David  Lenoe, 
the  company’s  security  program  manager. 

For  the  moment,  the  best  defense  against 
clickjacking  attacks  is  to  use  Firefox  with  the 
NoScript  add-on  installed. 

Users  running  that  combination  will  be 
safe  against  “a  very  good  chunk  of  the  issues, 
99.99  percent  at  this  point,”  Hansen  says. 

In  the  next  breath,  however,  he  calls  the 
Firefox-NoScript  solution  a  stop-gap  fix  suit¬ 
able  only  for  technical  users. 

“If  my  Mom  was  using  NoScript,  I’d  be 
taking  all  kinds  of  technical  support  calls,”  he 
says.  “It’s  not  the  right  solution.” 

-Gregg  Keizer 


November  2008  www.csoonline.com  9 


>>  BRIEFING 


PHYSICAL  SECURITY 


INSIDE 
OSAC’S  RACE 
AGAINST 
TERRORISM 


Does  OSAC  hold  any  extra  awareness 
activities  around  certain  anniversaries 
like  9/11? 

The  occurrence  of  an  anniversary  doesn’t 
really  affect  us,  since  a  heightened  state  of 
security  has  been  the  constant  since  9/11. 
What  was  a  higher  state  of  vigilance  10  years 
ago  is  just  the  norm  today.  But  there  is  more 
heightened  activity  whenever  there  are  high- 
profile  events  taking  place. 


Such  as? 

There  was  a  lot  of  security  activity  around 
the  Olympics.  OSAC  was  a  great  resource  for 
corporations  that  either  hosted  customers  at 
the  Olympics  or  sponsored  events.  With  events 
like  this,  we  certainly  appreciate  the  fact  that 
terrorists  like  to  try  things,  as  we  saw  during 
the  1972  Olympics  in  Munich. 


Can  you  talk  about  security  at  Honeywell 
and  how  it  relates  to  the  best  practices 
that  OSAC  tries  to  share  with  its  members? 

The  reason  OSAC  resonates  so  well  with 
Honeywell  is  that  we  as  an  organization  pride 
ourselves  on  being  a  threat-based  organiza¬ 
tion.  There  are  real  threats  and  theoretical 
threats,  and  when  deploying  your  security 
resources  you  want  to  be  sure  you’re  focusing 
on  your  most  valuable  assets  and  that  you 
are  being  responsive  to  the  real  validated 
threats.  To  do  that  you  have  to  have  good  data 
coming  in.  OSAC  has  a  very  analytical  core 
and  members  need  to  constantly  check  in  with 
analysts  in  various  parts  of  the  world.  In  some 
cases,  companies  that  are  able  to  use  OSAC’s 
analytical  resources  can  be  saved  from  having 
to  pay  for  the  same  resources  in-house. 

-Bill  Brenner 


The  recent  bombing  of  the  Marriott  Hotel 
in  Pakistan  is  the  type  of  incident  the 
Overseas  Security  Advisory  Council 
(OSAC)  was  set  up  to  deal  with.  Spe¬ 
cifically,  its  goal  is  to  keep  such  events  from 
happening  in  the  first  place  and,  if  necessary, 
help  those  affected  by  terrorist  acts  to  bounce 
back  quickly. 

To  do  that,  this  federal  advisory  council 
works  to  promote  security  cooperation 
between  American  business  and  private-sector 
interests  across  the  globe.  Participating  in 
these  activities  is  John  McClurg,  vice  president 
of  global  security  for  Honeywell  International. 
Honeywell  is  an  OSAC  member  organization 
along  with  such  business  giants  as  Cigna,  Boe¬ 
ing,  FedEx  and  Raytheon,  and  McClurg  chairs  a 
subcommittee  designed  to  ensure  that  critical 
information  is  delivered  in  as  many  media 
formats  as  possible. 

In  this  Q&A,  McClurg  explains  how  the 
organization  works  and  how 
it  can  help  corporations 
prevent  or  at  least  weather 
the  next  attack. 


CSO:  For  those  unfamiliar 
with  OSAC,  describe  its  his¬ 
tory  and  main  goals. 

John  McClurg:  It’s  one  of  the 
longest-running  and  most 
successful  private-public 
partnerships  in  existence.  It 
started  in  the  1980s  during 
the  administration  of  (U.S.  Secretary  of  State) 
George  Schultz  during  a  critical  time  when  this 
kind  of  cooperation  was  rare. 


Fast-forward  to  2008:  We  recently 
observed  the  seventh  anniversary  of  9/11. 
With  that  in  mind,  what’s  the  main  secu¬ 
rity  concern  of  OSAC  these  days? 

The  center  at  all  times  for  us  is  to  ensure  a 
proper  apprehension  of  the  validated  threats 
that  are  poised  to  strike  against  U.S.  corpora¬ 
tions  functioning  in  the  global  marketplace. 


Wrapping  our  arms  around  that  ever-changing 
dynamic  threat  profile  in  a  way  that’s  mean¬ 
ingful  and  actionable  for  U.S.  corporations 
is  at  the  heart  of  the  whole  exercise.  The 
growing  analytic  staff  at  the  heart  of  the  OSAC 
mission  is  geared  toward  that,  effectively 
linking  up  with  the  private  sector  to  help  filter 
and  pinpoint  trends,  and  be  a  source  in  which 
constituents  can  prepare  for  whatever  may  be 
coming  down  the  pike. 


Describe  the  specific  ways  in  which  mem¬ 
ber  organizations  work  together. 

There  are  a  variety  of  ways  we  work  together. 
At  one  end  of  the  spectrum  is  the  collabora¬ 
tion  and  networking  that  takes  place  at  our 
annual  November  briefing  in  Washington, 

D.C.  We  sit  and  listen  to  reports  and  establish 
dialogues  with  different  organizations  that 
can  best  collaborate.  We 
also  rely  on  more  than  100 
country  councils  around  the 
globe  that  are  tied  into  OSAC. 
They  are  associated  and 
linked  to  various  embassies 
and  hoid  regular  meetings 
where  concerns  and  best 
practices  for  specific  local 
issues  can  be  traded  between 
members.  Then  there’s  the 
website,  where  a  lot  of  threat 
information  flows  in  on  a  real¬ 
time  basis  to  our  members.  Of  ourthree  main 
committees,  one  is  focused  on  that  kind  of 
content.  Then  there’s  a  committee  tasked  with 
keeping  up  on  and  growing  membership.  Then 
my  committee  is  tasked  with  making  sure  ail 
our  information  is  delivered  in  effective  ways, 
be  it  news  articles  or  podcasts. 


Of  all  the  trends  taking  shape,  which  ones 
should  businesses  be  most  concerned 
about  right  now? 

There’s  always  the  potential  for  new  terrorist 


attacks,  and  when  an  event  unfolds  members 
need  access  to  the  most  up-to-date,  real-time 
information  possible.  That’s  always  the  biggest 
concern. 


lO  www.csoonline.com  November  2008 


Photo  by  AP/Wide  World  Photos/Kurt  Strumpf 


©  Diebold,  Incorporated,  2008.  All  rights  reserved. 


Do  you  consult  with  industry  experts? 

Are  you  prepared  for  tomorrow's  challenges? 


STAY  IN  CONTROL 
OF  YOUR  DATA  AND 
LOCATION  WITH  HELP 
FROM  DIEBOLD. 

Every  day,  you  meet  new  challenges 
in  keeping  your  workplace  safe 
and  secure.  That's  why  you  need 
the  thoughtful  leadership  and 
constant  innovation  from  a  trusted 
security  partner  like  Diebold. 

Whether  you  protect  physical  or 
data  assets  of  financial,  commercial, 
government  or  retail  operations, 
we  can  offer  you  the  tools  that 
you  need  to  effectively  combat 
ever-changing  security  challenges. 

We'll  examine  your  operation  to 
carefully  analyze  strengths  and 
weaknesses  before  recommending 
a  best-of-breed  solution.  And 
with  more  than  4,500  Diebold 
technicians  nationwide,  you'll  have 
help  when  and  where  you  need  it. 


HOW  SHOULD  YOUR 
SECURITY  EVOLVE? 


Learn  more  about  financial,  commercial,  government 
and  retail  security  solutions. 

CONTACT  YOUR  DIEBOLD  REPRESENTATIVE  OR 
VISIT  WWW.DIEBOLD.COM/SECURE 


DtEBOLD 

SECURITY 


OPINION 


>>  BRIEFING 


RISK  MANAGEMENT 

WS  Meltdown  Could  Spur 
Risk  Management  Spending 

Competition  and  regulation  after  the  crisis  will  likely 
increase  interest  in  technology  to  manage  risk 

The  ongoing  chaos  on  Wall  Street  could  hold  an  upside  for  vendors  of  risk  manage¬ 
ment  technologies  and  practices,  as  well  as  sellers  of  compliance  management 
products.  Analysts  see  an  increased  interest  in  these  products  from  financial  com¬ 
panies  for  competitive  reasons  and  to  comply  with  the  new  regulations  that  many 
predict  are  inevitable  following  the  meltdown. 

One  area  that  many  agree  is  likely  to  see  a  much  greater  interest  is  risk  modeling 
and  financial  risk  management.  There  are  some  “core  tenets”  for  effective  risk  manage¬ 
ment  highlighted  by  the  current  crisis,  says  Dave  Hoag,  director  of  clearing  information 
technology  at  Chicago-based  derivatives  exchange  CME  Group.  The  biggest  of  them:  the 
need  for  fair  and  transparent  visibility  into  the  models,  data  and  analytics  that  go  into 
calculating  the  risk  associated  with  different  financial  transactions,  Hoag  says.  Expect 
to  see  greater  investment  in  risk  management  technologies  as  companies  seek,  or  are 
driven  to,  implement  this  greater  transparency  in  their  risk  calculation  processes, 
he  says. 

Even  though  the  current  problems  on  Wall  Street  have  more  to  do  with  an  absence 
of  regulatory  oversight  than  with  faulty  risk-management  practices,  expect  to  see  a 
greater  focus  on  accounting  for  risk  at  least  for  some  time,  says  Glyn  Holton,  an  inde¬ 
pendent  financial  risk  management  consultant  based  in  Boston. 

“Financial  risk  management  makes  a  wonderful  scapegoat  [for  the  current  crisis],” 
Holton  says.  “This  is  a  cycle  we  go  through  when  we  have  losses.  We  trot  out  the  back- 
office  risk  management  guys.  There  will  be  some  more  focus  on  strengthening  risk 
management,  some  technology  will  be  purchased,  and  probably  monitoring  will  be 
increased.” 

Dennis  Santiago,  CEO  of  professional  services  firm  Institutional  Risk  Analytics,  says 
the  Wall  Street  crisis  has  exposed  some  fundamental  shortcomings  in  the  risk-modeling 
technologies  and  analytics  currently  being  used.  “We  have  been  pretty  much  using  the 
same  tools  now  for  a  decade.  One  of  the  things  that  is  clearly  beginning  to  show  itself 
at  this  stage  is  that  the  techniques  that  worked  before  don’t  work  as  well  anymore,” 
Santiago  says.  -Jaikumar  Vijayan 

12  www.csoonline.com  November  2008 


What  Does 
the  Financial 
Meltdown  Mean 
for  Security? 


A: 


t  first,  this  was  going  to  be  a  column 
about  the  PR  machine’s  hyperbolic 
efforts  to  connect  the  state  of  IT  and 
i  security  with  the  current  financial  crisis. 

Indeed,  some  have  shamelessly  sent  me 
story  pitches  that  try  to  get  some  bang  out 
of  the  Wall  Street  meltdown.  This  pitch,  from 
a  PR  flak  whose  name  I  won’t  mention,  even 
starts  with  an  admission  that  the  proposed  IT 
angle  is  a  stretch: 

“This  might  be  a  bit  of  hyperbole,  but  as 
companies  like  AIG  and  Lehman  Brothers  look 
for  a  bailout,  it’s  not  surprising  that  adoption 
of  open-source  software  is 

increasing  significantly 
in  the  wake  of  today’s 
economic  down- 
^  turn,"  the  person 
wrote  in  an  e-mail 
that  circulated 
around  my  office. 
That’s  right, 
the  financial  crisis 
means  companies 
are  fleeing  to  the  safety 
of  open-source  software, 
whether  it’s  for  security  or  other  purposes. 

By  the  way,  the  flak  wrote,  her  vendor  client 
would  be  more  than  happy  to  talk  to  us  about 
this  all-important  issue. 

But  as  I  started  to  look  around  for  more 
examples  of  FUD,  I  started  stumbling  across 
blogs  and  articles  examining  the  potential 
impact  of  the  crisis  on  security  in  a  more 
reasoned  fashion.  Columnist  Rob  Kail  suggests 
in  this  OpEdNews.com  piece  that  the  financial 
crisis  itself  may  be  a  sham  dreamed  up  by 
government  officials  who  want  to  scare  us  into 
allowing  their  excesses  as  much  as  we  did  after 
the  9/11  attacks: 

“The  news  is  abuzz  with  the  reports  of  the 
solemn,  haggard  faces  of  the  leaders  of  Con¬ 
gress  when  Bush’s  economic  czars  Paulson  and 
Bernanke  informed  them  of  the  deadly  threat 
of  financial  meltdown  the  U.S.,  even  the  world 
economy,  faced  if  something  dramatic  was  not 
done  immediately.  So,  of  course,  they  came 
out,  shaking  in  their  boots,  telling  the  nation 
(Continued  on  next  page) 


Photo  by  AP/Wide  World  Photos 


r 


Secure  Enterprise  Data.  When  it  comes  to  security,  most  businesses  understand  what  it  means  to  fail. 

But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions  can  move 
your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of  the 
Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/windsurf/cso 


The  Security  Division  of  EMC 


Secure  Anytime 
Anywhere  Access 


Protect 

Customer  Identities 


Secure 

Enterprise  Data 

— ir- 


Manage  Compliance 
and  Security  Information 


©2008  RSA  Security  Inc.  All  rights  reserved.  RSA  and  the  RSA  logo  are  either  registered  trademarks  or  trademarks  of  RSA  Security  Inc.  in  the  United  States  and/or  other  countries. 

Alt  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


>>  BRIEFING 


(Continued  from  previous  page) 
how  awful  things  were,  how  close  to  the  abyss 
we’ve  come,”  he  writes,  adding,  “This  sounds 
far  too  similar  to  Bush’s  surrogates  Condo- 
leezza  Rice  and  Colin  Powell  warning  us-at  the 
U. N.  and  in  Congress  in  2003-that  Iraq  and  its 
WMDs  was  an  imminent  threat  to  the  nation 
and  the  world.” 

Dan  Blacharski  at  IT  World  writes  about  the 
“financial  meltdown  and  impending  IT  crisis,” 
suggesting  that  the  current  crisis  will  trigger  a 
drastic  pullback  on  IT  investments. 

“There’s  more  evidence  that  [the  financial 
crisis  is]  hitting  the  IT  business,  which  until 
now  has  been  relatively  untouched,”  he  writes, 
citing  a  Channel  Insider  Mid-Year  Outlook 
survey  of  300  vendors.  “Not  too  long  ago,”  he 
writes,  “at  the  beginning  of  this  year,  the  sur¬ 
vey  said  about  75  percent  of  resellers  expected 
profits  to  be  up  compared  to  2007.  Today, 
only  half  said  that.  According  to  the  report, 
providers  say  their  customers  have  delayed  IT 
projects,  are  taking  longer  to  make  purchasing 
decisions,  scale  back  deployments  and  push 
back  on  pricing.” 

And  in  his  blog,  StillSecure  Chief  Strategy 
Officer  Alan  Shirnel  writes  about  the  potential 
impact  of  the  financial  meltdown  on  security 
vendors: 

“On  one  hand,  under  the  present  conditions, 
the  financial  sector-long  a  foundational  verti¬ 
cal  for  just  about  every  security  vendor-will 
not  have  a  lot  of  spare  cash  for  IT  in  general 
and  I  am  sure  security  in  particular,”  he  writes. 
“It  will  be  rough  sledding  trying  to  convince 
financial  firms  that  now  is  a  great  time  to 
invest  money  in  the  latest  security  technolo¬ 
gies.  On  the  other  hand,  new  regulations  and 
oversight  could  lead  to  more  compliance.” 

Who  can  argue  that  Sarbanes-Oxley  did  not 
boost  security  spending,  he  asks,  suggesting 
that  by  the  same  measure,  any  new  regulation 
of  the  industry  should  have  a  corresponding 
element  of  security  and  data  integrity  as  part 
of  it. 

“Overall,  the  security  industry  will  make 
out  better  than  many  other  IT  sectors,”  he 
concludes.  “This  meltdown  is  going  to  reshape 
not  only  Wall  Street  but  Main  Street  as  well. 

But  in  the  end  there  will  still  be  storefronts 
selling  IT  security." 

That  may  well  be  the  case.  Time  will  tell. 

Those  in  the  PR  world  need  to  be  careful 
about  the  pitches  they  make,  because  stirring 
the  FUD  well  will  only  make  things  worse. 

-as 


ANTIMALWARE 


Microsoft,  Washington  State 
to  Sue  “Scareware”  Pushers 


icrosoft  and  Washington  state  are  cracking  down  on  scammers  who  bombard 
computer  users  with  fake  warning  messages  in  the  hopes  of  selling  them  useless 
software. 

The  state’s  attorney  general  and  lawyers  from  Microsoft’s  Internet  Safety 
Enforcement  team  have  announced  several  lawsuits  against  so-called  “scareware”  ven¬ 
dors,  who  are  being  charged  under  Washington’s  Computer  Spyware  Act. 

The  attorney  general’s  office  described  the  vendors  as  “aggressive  marketers  of 
scareware-useless  computer  programs  that  bilk  consumers  by  using  pop-up  ads  to 
warn  about  nonexistent,  yet  urgent-sounding  computer  flaws.” 

This  is  not  the  first  time  Microsoft  and  Washington’s  attorney  general  have  teamed 
up  to  fight  scareware. 

In  2005,  they  jointly  sued  Secure  Computer,  a  security  software  company  they 
accused  of  using  fake  error  messages  to  scare  users  into  buying  its  Spyware  Cleaner 
software.  Secure  Computer  eventually  paid  $1  million  to  settle  the  charges. 

Washington’s  attorney  general  has  also  brought  lawsuits  against  companies  such 
as  Securelink  Networks  and  High  Falls  Media,  as  well  as  the  makers  of  a  product  called 
QuickShield,  all  of  which  were  accused  of  marketing  their  products  using  deceptive 
techniques  such  as  fake  alert  messages. 

Fake  alert  messages  can  be  effective.  In  August,  researchers  at  North  Carolina  State 
University  reported  that  computer  users  are  highly  likely  to  click  on  fake  Windows  error 
messages. 

in  their  study,  nearly  two-thirds  of  respondents  clicked  “OK”  when  presented  with  a 
phony  Windows  pop-up  message. 

The  use  of  these  fake  messages  is  a  growing  problem  on  the  Internet,  says  Katherine 
Tassi,  Washington’s  assistant  attorney  general.  Scammers  are  “getting  more  and  more 
creative,  and  putting  more  and  more  effort  into  making  them  look  like  security  mes¬ 
sages,”  she  says. 

The  most  prevalent  scareware  program  in  circulation  today  is  software  called 
Antivirus  XP  2008,  according  to  Alex  Eckelberry,  president  of  Sunbelt  Software.  Often 
installed  on  a  PC  without  proper  notification,  the  software  bombards  victims  with  fake 
security  warnings,  trying  to  convince  them  to  buy  worthless  programs  that  sometimes 
even  harm  their  PCs.  -Robert McMillan 


14  www.csoonline.com  November  2008 


Photo  by  iStockphoto.com 


}9.00  www.csoonline.com 


SECURITY  SURVEY 

says  there's  still  a 
little  problem.... 

By  Scott  Berinato 


theYGS 


:neiujgroup 

ntegrated publishing  solutions 


TheYGS  Group  is  the  authorized  provider  of  custom  reprint  products  from  CSO. 


Place  your  press  directly  in  the  hands  of  your  customers 
and  prospects  with  custom  reprints  from  CSO  magazine 


Contact  The  YGS  Group 

for  a  FREE  reprint  consultation 

800.290.5460 

cso@theYGSgroup.com 


Hovy  to  evaluate 
ancnmplement 
data  leakage 
prevention 
tools  PAGE  12 


case  stuay: 
Harland  Clarke 
reworks  its  risk 
management 
PAGE  38 


>>  BRIEFING 


SECURITY 

WISDOM 

WATCH 

This  month,  we  begin  with  those  who 
have  helped  us  find  light  at  the  end  of 
the  tunnel  in  this  economic  hellhole 
and  those  who  only  seem  to  make 
things  worse. 

PR  flacks:  At  a  time  when  we 
need  to  remember  that  “the 
only  thing  we  have  to  fear 
is  fear  itself,”  shameless  PR 
flacks  use  the  economic  crisis 
to  drum  up  a  little  publicity  for  their 
security  vendor  clients. 

Alan  Shimel:  StillSecure’s 
chief  strategy  officer  uses 
his  blog  and  podcast  to  look 
at  ways  in  which  security 
vendors  might  benefit  from  the 
situation.  But  unlike  the  PR  machine, 
he  uses  reason,  calm  and  balance  to 
analyze  the  situation  instead  of  rak¬ 
ing  the  black  muck  of  fear. 

David  Kernell:  The  man  who 
allegedly  hacked  VP  candi¬ 
date  Sarah  Palin’s  e-mail  has 
a  history  of  digital  devious¬ 
ness,  including  an  incident 
where  he  broke  into  a  school  server 
about  eight  years  ago  while  studying 
at  Eastern  Hills  Middle  School  in 
Harker  Heights,  Texas. 

Malicious  insiders:  Accord¬ 
ing  to  the  most  recent  Veri¬ 
zon  Business  Data  Breach 
report,  the  only  thing  compa¬ 
nies  have  to  fear  are  their  own 
employees.  The  report  suggests  that 
they  are  one  of  the  biggest  threats  to 
corporate  security. 

The  presidential  candi¬ 
dates:  McCain  and  Obama 
spent  too  much  time  slinging 
mud  and  too  little  time 
explaining  how  they  would 
bolster  cybersecurity. 

-B.B 


GOVERNMENT 

Congress:  Terror 
Threat  System 
Full  of  Flaws 

AU.S.  House  subcommittee  is  charging 
that  a  $500  million  IT  project  intended 
to  “connect  the  dots”  on  terrorists  and 
help  prevent  another  9/11  is  a  failure;  it 
can’t  even  handle  basic  Boolean  search  terms 
such  as  “and,”  “or”  and  “not." 

Allegations  of  waste  and  mismanagement 
were  outlined  in  a  recent  staff  memo  and  letter 
from  the  Subcommittee  on  Investigations  and 
Oversight-part  of  the  Committee  on  Science 
and  Technology. 

The  bulk  of  the  subcommittee’s  charges 
come  from  a  memo  prepared  by  subcom¬ 
mittee  staff  about  a  data  integration  project 
called  Railhead,  which  is  intended  to  help 
intelligence  and  law  enforcement  agencies 
uncover  terrorist  plots. 

Railhead,  due  to  be  ready  by  year’s  end, 
was  supposed  to  combine  and  upgrade  exist¬ 
ing  databases  called  TIDE  (Terrorist 
Identities  Datamart  Environment) 
and  improve  terrorism-fighting 
capabilities.  But  the  proj¬ 
ect  is  in  such  bad  shape¬ 
suffering  from  delays  and 
cost  overruns-that 
subcommittee  Chair¬ 
man  Brad  Miller  said, 

“There  may  be  current 
efforts  underway  to 
closedown  Railhead 
completely.” 

Miller’s  com¬ 
ment  was  included 
in  a  letter  he  wrote 
to  Edward  Maguire, 
inspector  general  for 
the  Office  of  the  Director  of 
National  Intelligence.  Miller 
said  he  wants  Maguire  to  investi¬ 
gate  the  project. 

“The  end  result  is  a  current  system  used  to 
identify  terrorist  threats  that  has  been  crip¬ 
pled  by  technical  flaws  and  a  new  system  that, 
if  actually  deployed,  will  leave  our  country 
more  vulnerable  than  the  existing,  yet  flawed, 
system  in  operation  today,”  wrote  Miller. 


The  subcommittee  makes  a  case  for 
investigation  through  a  variety  of  documents 
it  obtained,  including  user-group  meeting 
minutes,  e-mails,  internal  blog  postings  and 
technical  reports  that  raise  issues  with  vari¬ 
ous  aspects  of  the  project.  The  lead  systems 
integrator  for  Railhead  is  Boeing’s  Space  and 
Intelligence  Systems  Mission  division. 

Among  the  issues  Miller  wants  the  inspec¬ 
tor  general  to  probe  is  how  Railhead  is  being 
used.  His  letter  raises  questions  about  money 
used  by  Boeing  to  renovate  a  building. 

Railhead  software  was  tested  by  the 
Hewlett-Packard  Quality  Center,  which  found 
that  it  “passed  148  tasks,  but  did  not  complete 
26  others  and  failed  42,"  Miller  says.  Specific 
problems  included  a  failure  to  create  reports, 
as  well  as  failing  to  “find  nonexact  matches 
for  key  entities,  such  as  a  suspected  terrorist’s 
name,”  the  memo  said.  “Incredibly,  it  also 
failed  to  demonstrate  the  ability  to  use  basic 
Boolean  search  terms  such  as  and,  or  and  not.” 

The  project  connects  dozens  of  data 
sources  from  a  variety  of  agencies,  using  an 
XML  platform  to  achieve  integration.  But  the 
design  team  behind  the  effort  raised  concerns 
about  the  use  of  XML  and  whether  it  is  viable. 

One  e-mail  cited  in  the  staff  memo-from  a 
contractor  in  August  2007- expressed 
concerns  that  the  XML  approach 
could  lead  to  integration  problems. 
That  now  seems  to  be  the  case, 
according  to  Miller’s  letter. 

The  National 
Counterterrorism 
Center  (NCTC)  issued 
a  response  to  Miller’s 
letter  that  called  it 
‘inconsistent  with  the 
facts.”  The  NCTC  said 
Miller’s  “letter  implies 
that  there  exists  a  risk 
to  our  nation’s  security 
related  to  the  imple¬ 
mentation  of  NCTC’s  informa¬ 
tion  technology  program.... 
There  has  been  no  degradation 
in  the  capability  to  access,  man¬ 
age  and  share  terrorist  information  during  the 
life  of  the  Railhead  program.” 

Moreover,  the  NCTC  statement  implies 
that  Miller’s  group  has  been  out  of  the  loop.  A 
Boeing  spokeswoman  deferred  comment  on 
the  matter. 

-Patrick  Thibodeau 


16  www.csoonline.com  November  2008 


The  threat  landscape 
is  constantly  evolving. 


Fortunately,  we  are  too. 

Protection  from  yesterday’s  threats  is  no 
protection  —  which  is  why  real  security  takes 
more  than  a  box. 

SecureWorks’  state-of-the-art  threat-correlation 
platform  is  continuously  informed  by  the  industry’s 
leading  counter-threat  unit.  This  ever-evolving 
solution  gives  our  client-dedicated  analysts 
constant  visibility  into  the  verge  of  the  threat 
landscape.  And  gives  you  real  protection  from 
whatever  tomorrow  brings. 

SecureWorks* 

www.secureworks.com 


©2007  SecureWorks,  all  rights  reserved.  SecureWorks  and  the  SecureWorks 
logo  are  registered  trademarks  of  SecureWorks. 


>>  BRIEFING 


ACCESS  MANAGEMENT 

SIX  ESSENTIAL 
STEPS  TO  SECURE 
ACADEMIA 

Networks  in  the  academic  world  mirror  the 
Wild  West,  where  data  protection  is  an  uphill 
battle.  CISO  Stan  Gatewood  explains 
how  he  pulls  it  off  in  six  essential  steps. 

Computer  networks  in  the  academic  world  are  a  lot  like  the 
Wild  West:  It’s  hard  to  tell  the  good  guys  from  the  bad,  and  the 
sheriffs  ability  to  maintain  order  is  severely  limited. 

The  long  list  of  data  security  breaches  reported  since  early 
2005  is  heavy  with  the  names  of  such  academic  institutions  as  San 
Diego  State  University,  Ohio  University,  the  University  of  California 
at  Berkeley,  Boston  College,  Tufts  Uni¬ 
versity,  George  Mason  University,  the 
University  of  Northern  Colorado  and 
Purdue  University,  among  many  others. 

It’s  a  world  all  too  familiar  to  Stan 
Gatewood,  CISO  for  the  University 
System  of  Georgia. 

Georgia’s  system  is  much  the  same 
as  other  university  settings.  Main¬ 
taining  open  access  to  information  is 
paramount,  whether  it’s  a  webpage 
students  use  to  access  class  schedules, 
an  e-mail  portal  that  faculty  use  to 
communicate  assignments  or  a  data¬ 
base  researchers  rely  on  to  store  and 
access  highly  sensitive  information. 

Meanwhile,  students,  professors, 
outside  contractors  and  others  are 
constantly  showing  up  on  campus  with 
their  own  computers-some  secure, 
others  full  of  unpatched  flaws  and 
still  more  that  are  used  to  probe  the 
network  for  weaknesses  to  exploit. 

The  information  at  risk  in  this  envi¬ 
ronment  is  immense:  financial  aid  and 
health  records,  credit  card  numbers 
used  in  the  college  bookstore  or  cafeteria,  proprietary  information 
relating  to  sensitive  research  being  done  on  campus,  and  so  on. 

“We  deal  with  tremendously  unique  and  varied  access  needs,  and 
the  biggest  challenge  is  identity  management-properly  identifying 
and  classifying  individuals,”  Gatewood  says.  “It’s  tremendously  hard 
to  corral  everyone  and  balance  their  needs  with  the  security  needs 
in  one  area.” 

There’s  also  a  growing  challenge  with  mobile  security,  since 
students  and  faculty  never  stay  in  one  place  and  still  need  access  to 


the  campus  network.  They  need  identity  and  access  credentials  that 
will  move  with  them,  he  says. 

While  no  security  program  is  100-percent  successful  in  meeting 
these  challenges,  Gatewood  lives  by  a  six-step  plan  that  has  served 
his  institution  successfully  thus  far.  In  a  recent  interview,  he  outlines 
those  steps: 

STEP  1:  RISK  MANAGEMENT 

No  matter  how  much  he  learns  about  information  security,  Gate- 
wood  says  the  main  lesson  always  comes  back  to  an  organization’s 
ability  to  manage  risks  and  threats.  He  advises  security  pros  in  aca¬ 
demia  to  hammer  out  a  formal  risk  management  program  outlining 
how  to  lower  risk  to  an  acceptable  level. 

STEP  2:  POLICY  AND  COMPLIANCE  MANAGEMENT 
Academic  institutions  have  to  comply  with  many  regulations  and 
industry  standards,  from  HIPAA  to  the  PCI  Data  Security  Standard. 
Gatewood  says  a  formalized  group  policy  and  compliance  program 
is  essential  and  must  outline  the  ramifications  of  not  complying  with 
the  rules. 

STEP  3:  STRATEGIC 
PLANNING  AND  LEADERSHIP 

No  organization  can  achieve  security 
on  the  fly.  To  that  end,  Gatewood  is  a 
big  proponent  of  strategic  planning  and 
having  specific  people  take  the  lead  in 
specific  areas. 

STEP  4:  COMMUNITY 
AWARENESS  TRAINING  AND 
EDUCATION 

University  security  leaders  must  edu¬ 
cate  contractors,  staff,  students  and 
faculty  on  security  awareness,  where 
the  dangers  are,  the  what,  why  and 
how,  Gatewood  says. 

STEP  5:  PROPER  INCIDENT 
RESPONSE  AND  REPORTING 
Security  pros  must  always  remember 
that  things  are  going  to  happen  despite 
the  best-laid  plans.  When  that’s  the 
case,  organizations  need  to  be  able  to 
respond  in  a  standardized  way.  There 
must  be  a  high  degree  of  confidence 
that  an  individual  will  respond  to  an 
incident  properly  without  fear  of  their  job  or  how  bad  they’ll  look, 
he  says. 

STEP  6:  CONTINGENCY  PLANNING. 

This  step  goes  hand  in  hand  with  Step  5,  Gatewood  says,  adding, 

“Bad  things  happen.  No  one  at  the  University  of  Louisiana  thought 
something  like  Hurricane  Katrina  would  happen.  You  have  to  know 
what  to  do  when  these  things  take  place,  make  sure  you  protect  the 
human  element  and  that  you  have  backup  systems. 

-B.B 


18  www.csoonline.com  November  2008 


Photo  by  Stan  Kaady 


NEWSLETTER 

THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter, 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


learn 


about  the 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 


Security  Smart  is  published  by  CSO,  a  business  unit  of  CX0  Media.  ©  2007  CXO  Media  Inc. 


BUSINESS  RISK  LEADERSHIP 


By  Bob  Violino 


Toward  a  Well-Behaved  Network 

Network  behavior  analysis  tools  can  help  tune  operations  as  well 
as  improve  security.  Here  are  five  tips  for  getting  the  job  done. 


What’s  happening  on  the 
enterprise  network— 
or  more  to  the  point, 
what’s  occurring  on  the 
network  that  should  not 
be— is  a  major  concern  of  security  execu¬ 
tives.  If  someone  is  trying  to  hack  in,  or  a 
virus  or  worm  is  spreading,  or  a  denial-of- 
service  attack  is  underway,  there  might  be 
evidence  of  these  types  of  activities  before 
they  become  a  major  problem. 

Network  behavior  analysis  (NBA)  tech¬ 
nology  helps  organizations  detect  and  stop 
suspicious  activity  on  corporate  networks 
in  a  timely  manner— possibly  preventing, 
or  at  least  limiting,  serious  damage  from 
attacks.  NBA  is  designed  to  give  security 
managers  a  level  of  network  visibility  they 
need  in  order  to  make  sure  security  threats 
are  quickly  identified  and  remedied. 

The  products  analyze  network  traffic 
through  data  gathered  from  devices  such 
as  IP  traffic  flow  systems,  or  via  packet 
analysis.  They  use  a  combination  of  signa¬ 
ture  and  anomaly  detection  to  alert  security 
and  network  managers  of  any  activity  that 
appears  to  be  out  of  the  norm,  providing 
a  view  of  the  network  that  lets  managers 
analyze  activity  and  respond  before  there’s 
damage  to  systems  and  data. 

“A  key  benefit  of  NBA  systems  is  the 
[network]  visibility  that  they  provide,” 
says  Lawrence  Orans,  research  director  at 
Gartner,  who  leads  the  firm’s  NBA  coverage. 

20  www.csoonline.com  November  2008 


Orans  says  this  visibility  helps  in  two  areas: 
network  operations  (for  example,  trouble¬ 
shooting  and  performance)  and  security 
(i.e.  malware  monitoring  and  detecting 
unwanted  applications). 

NBA  can  be  used  to  detect  behavior  that 
might  be  missed  by  other  security  technolo¬ 
gies  such  as  intrusion  prevention  systems 
(IPS),  firewalls  and  security  information 


and  event  management  (SIEM)  systems, 
according  to  Gartner.  Those  technologies 
might  not  identify  threats  that  they  are  not 
specifically  configured  to  look  for.  Gartner 
says  NBA  is  suitable  as  a  complementary 
technology  to  intrusion  detection  and 
prevention  software,  which  is  effective  for 
addressing  network  attacks  that  can  be 
positively  identified. 

Photo  by  iStockphoto.com 


Vendors  addressing  the  NBA  market 
include  many  of  the  broader,  established 
network  and  security  companies  as  well 
as  niche  players  that  specialize  in  the  tech¬ 
nology.  Those  that  focus  specifically  on 
NBA  are  Arbor  Networks,  Lancope,  Mazu 
Networks  and  Qi  Labs.  Companies  includ¬ 
ing  Cisco  Systems,  Internet  Security  Sys¬ 
tems  (part  of  IBM),  NetFort  Technologies, 
Sourcefire  and  Security  (to  be  acquired  by 
Security  Computing)  also  offer  products 
with  some  type  of  NBA  capabilities. 

Among  the  common  functionality  and 
features  of  NBA  systems  are  the  use  of 
network  flow  data  to  identify  suspicious 
behavior  on  the  network  and  where  it’s 
coming  from;  mitigation  to  stop  malicious 
activity  and  fix  network  problems;  and 
reports  on  all  network  configurations  and 
user  behavior. 

Orans  says  some  NBA  vendors  are 
enhancing  their  products  by  adding  iden¬ 
tity  capabilities.  “Specifically,  some  vendors 
have  added  the  ability  to  map  a  user  [iden¬ 
tification]  to  an  IP  address,”  he  says.  “This 
provides  the  benefit  of  quickly  identifying 
a  user  who  is  responsible  for  anomalous  or 
malicious  traffic.”  So,  instead  of  being  noti¬ 
fied  that  a  particular  IP  address  is  exhibit¬ 
ing  anomalous  behavior,  a  manager  can 
know  exactly  which  user  in  the  organiza¬ 
tion  is  conducting  the  anomalous  behavior. 

“This  is  especially  valuable  for  forensic 
analysis,”  Orans  says.  “If  you  are  using 
an  NBA  system  to  analyze  a  breach  that 
occurred  in  the  past— maybe  three  months 
ago— then  it  is  often  difficult  to  map  the  IP 
address,  which  is  assigned  dynamically,  to 
a  user.  It’s  difficult  unless  your  NBA  system 
can  do  it  for  you. 

Before  deploying  NBA,  security  man¬ 
agers  need  to  figure  out  which  system  is 
a  good  fit  for  their  network  and  how  best 
to  use  the  technology.  Here  are  five  tips  on 
evaluating,  purchasing  and  implementing 
NBA  offerings. 

1.  Before  putting  in  NBA,  first 
deploy  intrusion  prevention 
technology. 

“NBA  systems  are  best  for  organizations 
that  have  already  implemented  IPS  systems” 
and  are  looking  for  more  visibility  into  then- 
network  and  network  traffic,  Orans  says. 
“NBA  is  not  something  that  you  do  before 
IPS  or  instead  of  IPS.  It  is  done  afterward 


because  it  provides  visibility.” 

After  successfully  deploying  IPS  and 
firewalls  with  appropriate  processes  for 
tuning,  analysis  and  remediation,  consider 
adding  NBA  to  identify  network  events  and 
behavior  that  are  undetectable  using  other 
techniques,  Orans  says.  He  notes  that  the 
size  of  an  organization  does  matter  when  it 
comes  to  NBA. 

“NBA  is  for  large  enterprises,  it’s  not 
for  SMBs,”  Orans  says.  “The  expertise 
and  experience  level  needed  to  tune  an 
NBA  solution  and  interpret  its  results  is 


beyond  most  SMB  network  and  security 
professionals.” 

2.  Conduct  a  thorough  analysis 
prior  to  selecting  a  vendor’s 
offering. 

It  might  sound  obvious,  but  NBA  systems 
can  cause  more  harm  than  good  if  they’re 
not  carefully  selected  based  on  the  needs  of 
the  organization,  existing  network  compo¬ 
nents,  level  of  in-house  expertise,  etc. 

When  evaluating  NBA  systems,  make 
sure  they  meet  the  organization’s  require¬ 
ments  for  analysis  and  reporting,  and  can 
be  integrated  with  existing  networks.  Also, 
consider  how  easy  or  difficult  the  system  is 
to  calibrate  and  use. 

“Think  of  all  the  devices  you  need  to 
collect  flows  from,”  says  John  Kindervag, 
senior  analyst,  security  and  risk  manage¬ 
ment,  at  Forrester  Research  in  Cambridge, 
Mass.  “Will  they  all  support  sending  flows? 
Will  enabling  flows  on  the  device  negatively 
impact  its  performance?” 

Depository  Trust  &  Clearing  Corpora¬ 
tion  (DTCC),  a  New  York-based  firm  that 
provides  clearing,  settlement  and  infor¬ 
mation  services  for  a  variety  of  financial 
instruments  including  equities,  corporate 
and  municipal  bonds,  and  government 
and  mortgage-backed  securities,  evaluated 
several  NBA  vendors  and  reviewed  market 
research  on  the  technology  within  its  secu¬ 
rity  department,  before  selecting  a  product 


from  Mazu  Networks,  says  Neil  Wasser- 
man,  vice  president,  Core  and  Smart  Net¬ 
work  Services  at  DTCC. 

“We  installed  a  Mazu  demo  and  ran  it 
through  a  rigorous  evaluation,”  Wasser- 
man  says.  “The  product  met  our  require¬ 
ments— and  the  rest  is  history.” 

3.  Test  before  broad  rollout. 

Experts  say  it’s  important  to  thoroughly  test 
an  NBA  system  before  moving  ahead  with  a 
full-scale  implementation.  That  way,  secu¬ 
rity  managers  can  see  what  kind  of  actual 


reporting  they  will  get  on  network  activity. 

“The  only  way  to  properly  evaluate  the 
tools  [is]  to  install  them  in  your  live  produc¬ 
tion  network,”  Kindervag  says.  “Any  other 
evaluation  methodology,  lab,  etc.,  will  not 
provide  true  results.” 

AirTran  Airways,  Orlando,  Fla.,  a  low- 
fare  airline  designed  for  business  travel¬ 
ers,  had  vendor  Lancope  conduct  an  onsite 
proof-of-concept  trial  of  its  Stealth  Watch 
product  before  the  system  was  rolled  out 
broadly,  says  Michelle  Stewart,  manager  of 
information  security  at  AirTran.  The  proof- 
of-concept  “had  no  impact  [on]  our  produc¬ 
tion  environment  and  demonstrated  the 
effectiveness  of  the  reporting.” 

During  the  implementation,  AirTran 
worked  closely  with  a  Lancope  engineer 
and  deployed  the  system  according  to  Lan¬ 
cope  best  practices,  Stewart  says. 

AirTran’s  security  team  uses  Stealth- 
Watch  for  network  monitoring,  reporting 
and  forensics.  The  network  team  uses  the 
system  to  troubleshoot  behavior-related 
network  issues,  Stewart  says.  Managers 
can  examine  granular  data  about  network 
behavior  by  zone,  node  and  user,  and  collect 
historical  data  to  view  trends. 

4.  Tune  NBA  systems  to  cut 
down  on  false  positives. 

Experts  says  it’s  important  to  take  the  time 
to  effectively  tune  NBA  systems  to  gather 
relevant  network  data  and  help  reduce 


“We  discovered  a  great  deal  about 

Sorts,  protocols  and  chattiness  of 
lird-party  applications.” 

-Michelle  Stewart,  AirTran  Airways 


November  2008  www.csoonline.com  21 


>>  TOOLBOX 


Who’s  who 

Major  network  behavior  analysis  vendors,  as  identified  by  Gartner 


COMPANY 

PRODUCT 

MAIN  FEATURES  AND  CAPABILITIES 

Arbor  Networks 

www.arbornetworks.com 

Peakflow  X 

Provides  networkwide  visibility  by  leveraging  IP  flow  technology;  improves 
performance  of  critical  applications  on  a  network  by  detecting  traffic  viola¬ 
tions;  detects  zero-day  threats  missed  by  signature-based  security  tools. 

Cisco  Systems 

www.cisco.com 

Monitoring,  Analysis,  and 
Response  System  (MARS) 

Provides  security  monitoring  for  network  devices  and  host  applications;  makes 
precise  recommendations  for  threat  mitigation,  including  the  ability  to  visualize  the 
attack  path  and  identify  the  source  of  a  threat  with  detailed  topological  graphs. 

IBM  internet  Security 
Systems 

www.iss.net 

Proventia  Network  Anomaly 
Detection  System  (ADS) 

Uses  network  flow  data  to  determine  which  users  and  hosts  commu¬ 
nicate  with  each  other  and  how;  automatically  detects  active  secu¬ 
rity  threats,  risky  user  behavior,  performance  issues  and  noncompliant 
activities  such  as  policy  violations  and  unapproved  network  changes. 

Lancope 

www.lancope.com 

StealthWatch 

Monitors  network  infrastructure  to  actively  detect  problems,  security  threats 
and  internal  employee  misuse  in  real  time;  detects  and  prioritizes  network 
performance  issues,  insider  misuse  and  zero-day  worms  that  affect  net¬ 
work  health  and  host  integrity;  provides  audits  and  reports  of  all  network 
communications,  host  configurations,  user  identity  and  behavior. 

Mazu  Networks 

www.mazunetworks.com 

Mazu  Profiler 

Collects  network  flow  data  and  enhances  it  with  application  and  user  iden¬ 
tification  and  behavior  analytics;  role-based  presentations  enable  users 
to  access  network  data  in  a  format  tailored  to  specific  needs. 

NetFort  Technologies 

www.netforttechnologies.com 

LANGuardian 

Dashboard  provides  a  range  of  reports  on  infected  machines,  Skype  users,  large 
data  transfers,  spyware  and  which  users  are  doing  what  on  the  network;  tracks 
events  and  network  traffic  flows  on  a  network  by  user  name  and  department. 

Q1 Labs 

www.qllabs.com 

QRadar 

Main  features  and  capabilities:  Enables  organizations  to  meet  specific  security 
control  objectives  including  log  management,  threat  management  and  compli¬ 
ance  management;  provides  integrated  log  management,  security  informa¬ 
tion  and  event  management,  and  NBA  functions  in  a  single  console. 

Security 

www.securify.com 

Securify  Monitors 

Tracks  network  access  and  behavior  across  systems  and  networks  using  flow-based 
data,  deep  packet  inspection  or  both;  user  identity  and  group/role  associations 
are  dynamically  drawn  from  existing  user  directories,  and  prioritized  violations 
with  user  identities  and  incident  details  are  available  via  a  Web  interface. 

Sourcefire 

www.sourcefire.com 

3D  System 

Combines  intrusion  prevention,  network  access  control,  vulnerability  assessment 
and  NBA  functions  in  one  system;  provides  a  continuous,  real-time  view  of  what’s 
transpiring  on  a  network,  assembling  a  database  of  network  assets,  operating  systems, 
services  and  applications,  and  identifying  potential  vulnerabilities  on  these  devices. 

false  positives. 

If  an  organization  fails  to  fine-tune  NBA 
systems  adequately,  it  might  have  to  con¬ 
tend  with  a  lot  of  false-positive  readings  that 
overburden  the  network  and  security  man¬ 
agers  who  need  to  examine  all  the  alerts. 

“We  did  this  tuning  exercise  immedi¬ 
ately  upon  implementation,  and  it  proved 
extremely  valuable,”  Stewart  says.  “After 
segregating  our  network  geographically 
and  logically  into  zones,  we  examined  the 
behavior  within  our  high-risk  zones  for  vol¬ 
ume  and  type  of  traffic.  In  several  cases,  the 
port/protocol  information  we  were  given 
from  our  application  vendors  was  found  to 
be  incomplete,  but  by  using  Stealth  Watch 
we  were  able  to  properly  fingerprint  the 
application  behavior.” 

After  tuning  the  zone  behavior  policies 
appropriate  to  the  high-risk  zones,  “our 


alarm  count  was  much  more  manageable 
and  useful,”  Stewart  says.  “This  informa¬ 
tion  also  allows  us  to  properly  plan  WAN 
bandwidth  growth,  as  we  can  determine 
how  much  legitimate  network  traffic  is 
required  for  business.” 

5.  Use  NBA  data  to  help 
determine  network  usage 
patterns. 

Stewart  says  it  was  important  that  AirTran 
managers  spend  as  much  time  as  necessary 
reviewing  the  behavior  data  gathered  to 
appropriately  classify  zones,  zone  policies 
and  services. 

“We  discovered  a  great  deal  about  ports, 
protocols  and  chattiness  of  third-party 
applications  during  this  exercise,”  Stewart 
says.  “Our  zones  include  geographic  seg¬ 
regation,  allowing  both  security  and  net¬ 


working  to  quickly  review  and  treat  WAN 
location  issues.  We  defined  server  zones  by 
behavior,  allowing  more  granular  control 
over  alerting.” 

Also,  in  using  NBA  systems,  it’s  impor¬ 
tant  to  create  focused  views  and  logical 
groupings  within  the  tool  that  make  sense, 
says  Wasserman.  “Strive  for  ease  of  use 
and  an  easy  understanding  of  common 
sense  nomenclature  and  device  or  host 
groupings,”  he  says.  “Limit  the  number  of 
flows  that  need  to  be  queried  or  viewed”  in 
order  to  get  useful  network  information  on 
a  more  timely  basis. 

That  way,  NBA  can  provide  not  only 
greater  network  visibility,  but  an  effective 
way  to  deal  with  trouble  when  it  arises.  ■ 


Bob  Violino  is  a  freelance  writer.  Send feedback 
to  Editor  Derek  Slater  at  dslater@cxo.com. 


22  www.csoonline.com  November  2008 


Art  Credit 


SlrSti^WJortJoicK. 

cf.fwtrvecyher 
frttiflt'iw  detection 

,  andVfipOfBf 


We  are  extremely  proud  that  our  editorial  and  design  efforts  have  been 
recognized  as  the  Best  of  the  Best  by  ASBPE  because  the  awards  are 
based  on  how  well  we  serve  the  needs  of  the  CSO  community.  And  as  our 
readers,  you  recognize  our  efforts  daily  with  your  visits  to  CSOoniine.com, 
your  letters  to  the  editors,  and  your  involvement  with  our  content. 

We  appreciate  the  time  you  spend  with  us! 


HiWl  American  Society  of  Business 
•  KlilS  Publication  Editors  (ASBPE)  is  the 
professional  association  for  busi- 
ness-to-business  editors  and  writers  which  helps 
editors  develop  and  improve  their  editorial  and 
publishing  management  skills,  and  enhance  their 
ethical  standards  and  the  editorial  excellence  of 
their  publications.  The  Society  is  widely  known  for 
its  annual  Azbee  Awards  of  Excellence  competition 
in  editorial  and  design  of  magazines,  newsletters, 
and  digital  publications.  As  part  of  the  30th  Anni¬ 
versary  Azbee  Awards  of  Excellence  celebration, 
one  overall  magazine  winner  in  each  of  the  two 
circulation  categories,  (our  sister  publication  CIO 
magazine  was  the  other  publication  honored)  and 
one  website  (cio.com)  were  honored. 


CSO  magazine 
Top 

business-to-business 
magazine  since  2000 

CSO 

BUSINESS  RISK  LEADERSHIP 
www.CSOonline.com 


CSO  magazine  is  the 

proud  recipient  of  the  Azbee 
Awards  of  Excellence,  the 

highest  honors  ASBPE  has 
ever  given  to  recognize 
consistent  editorial  and 
design  excellence. 


COVER  STORY  I  LOSS  PREVENTION 


Point 

Of 

Steal 


WHEN  THIEVES  STOLE  the  PIN  pads 
at  a  cash  register  in  one  of  his  company’s 
stores,  Daniel  Marcotte  was  amazed.  Not 
that  they’d  done  it— such  thefts  can  happen 
once  a  week  during  the  holiday  season.  But 
watching  it  on  videotape  later,  “I  couldn’t 
tell  they  had  it  with  them  when  they  left” 
the  store,  says  Marcotte,  director  of  systems 
and  data  security  at  La  Senza,  a  Montreal 
retailer  now  owned  by  The  Limited. 

A  couple  of  hours  later,  the  thieves  were 
back.  They’d  doctored  the  PIN  pads  to  let 
them  get  customer  card  data.  They  got  them 
back  onto  the  point-of-sale  system  quickly, 
too.  But  here’s  where  La  Senza’s  security 
precautions  kicked  in:  Its  PIN  pads  in 
effect  have  their  own  Media  Access  Control 
address,  and  once  they’re  disconnected, 
that  address  is  no  longer  available.  So  the 
thieves  were  foiled— this  time. 

The  point  of  sale  has  always  been  a  target 
for  thieves.  While  they  once  went  after  the 
cash  drawer,  retailers  often  find  themselves 
facing  sophisticated  networks  of  thieves 
intent  on  the  criminal  equivalent  of  volume 
discounts— reams  of  credit  card  data,  entire 
shelves  of  goods  to  launder  or,  in  the  case  of 
pharmaceuticals  like  Sudafed,  drugs  used 
for  making  methamphetamines.  Retailers, 


Cash  registers  and 
point-of-sale  devices 
have  always  been 
targeted  for  theft. 
And  now  they’re 
more  complex 
than  ever.  By 
Michael  Fitzgerald 

then,  operate  under  the  constant  threat  of 
having  their  point  of  sale  either  hacked  by 
cyberthieves  or  spoofed  by  real  ones. 

Between  them,  they  target  all  the  major 
aspects  of  a  modern  point-of-sale  system: 

■  The  cash  register 

■  The  bar-code  scanner 

■  Wireless  access 

■  The  in-store  voice  or  IP  network 

■  The  store  inventory  management 
system. 

Where  once  the  big  scourge  was  “till 
tappers”— people  who  grab  the  money  and 
run— that’s  no  longer  a  major  headache  for 
most  retailers,  says  Keith  Aubele,  the  for¬ 
mer  loss  prevention  executive  at  Wal-Mart 


24  www.csoonline.com  November  2008 


and  Home  Depot,  and  now  a  loss-preven¬ 
tion  consultant.  Instead,  they  have  to  con¬ 
tend  with  sophisticated  rings  of  thieves 
who’ve  figured  out  that  it’s  far  more  lucra¬ 
tive  to  systematically  steal  goods  by  spoof¬ 
ing  the  point-of-sale  systems,  especially 
self-checkout  systems,  which  are  “incred¬ 
ibly  easy  to  bypass,”  says  Aubele. 

“You’ve  got  one  supervisor  for  four  to 
six  registers,  and  you  can  easily  distract 
that  person  and  you  take  merchandise  and 
scan  some  and  hit  the  deactivator  and  walk 
out,”  he  says. 

A  bigger  problem  still  is  under-ringing, 
or  sweethearting,  where  crooked  cashiers 
in  cahoots  with  thieves  simply  don’t  scan  all 
the  items  presented.  Retail  theft  was  almost 
$35  billion,  according  to  the  2007  National 
Retail  Security  Survey,  and  Aubele  esti¬ 
mates  that  between  $8  billion  and  $10  bil¬ 
lion  of  it  comes  from  under-ringing. 

“Under-ringing  is  incredibly  hard  to 
detect,  under  any  system,”  he  says. 

Small  note  of  irony:  The  first  mechani¬ 
cal  cash  register  (patented  in  1883)  was 
nicknamed  “the  incorruptible  cashier.” 

The  major  modern  method  for  catching 
under-ringers  is  video  analytics  applied  at 
the  point  of  sale.  Companies  like  IBM,  Mile¬ 
stone  and  an  Aubele  client,  Wren  Solutions, 
all  offer  video  analytics  that  aim  to  help 
store  managers  see  when  breaches  have 
occurred. 

But  such  analytics  are  a  bit  “pie  in  the 
sky,”  cautions  Steve  Hunt  of  Hunt  Busi¬ 
ness  Intelligence  in  Evanston,  Ill.  All  the 
pieces  work  well,  he  says— “the  cameras 
work  fine,  the  recording  system  works  fine, 
it  integrates  with  the  point-of-sale  system 
perfectly  by  tagging  every  transaction,  but 
the  analytics  aren’t  good  enough.  It’s  ana¬ 
lytics  1.0.” 

Aubele  acknowledges  that  video  ana¬ 
lytics  is  “a  work  in  progress,”  but  says  “it’s 
light-years  today  ahead  of  where  it  was  two 
years  ago,”  and  in  two  years  will  be  light 
years  ahead  of  today. 

Meanwhile,  there  are  new  approaches 
being  tried  with  traditional  smash-and- 
grab  techniques,  like  running  off  with  a 
rack  of  leather  jackets.  Time  Domain,  a 
maker  of  real-time  location  systems,  is  put¬ 
ting  radio  frequency  identification  (RFID) 
tags  into  high-value  items,  and  tracking 
them  via  ultra  wideband  (UWB)  wireless 
technology.  Time  Domain’s  technology  cre- 

November  2008  www.csoonline.com  25 


Illustration  by  Jonathan  Barkat 


COVER  STORY  |  LOSS  PREVENTION 


ates  electronic  article  surveillance  that  ties 
into  the  cameras  at  the  front  of  the  store  and 
will  flag  the  unusual,  like  an  entire  rack  of 
leather  coats  suddenly  moving,  and  pan  the 
cameras  on  the  items— as  long  as  the  store 
uses  pan-and-tilt  video  cameras.  This  tech¬ 
nology  is  in  pilot  right  now. 

THE  FLIP  SIDE  OF  CAPTURING 
CUSTOMER  DATA 

Missing  merchandise  is  a  visible,  countable 
problem  for  retailers.  Stolen  customer  data 
is  murkier.  Compounding  the  issue  is  a  fun¬ 
damental  problem:  Point-of-sale  technol¬ 
ogy  wasn’t  designed  to  capture  customer 
data,  securely  or  otherwise.  Most  retail 
technology  was  developed  to  help  compa¬ 
nies  track  product  information— what  was 
sold,  when  and  for  how  much.  But  retailers 
now  use  these  technologies  to  capture  cus¬ 
tomer  data. 

That  means  “at  the  place  where  data  is 
captured,  you  have  a  rat’s  nest  of  different 
technologies  cobbled  together  in  a  way  that 
didn’t  pay  any  heed  at  all  to  the  sensitivity  of 
the  data  it  captures,”  says  Brian  Kilcourse, 
managing  partner  of  RSR  Research. 

Worse,  retailers  in  the  last  decade 
shifted  away  from  proprietary  network¬ 
ing  technologies  like  IBM’s  Token-Ring  to 


ated  the  Payment  Card  Industry  Data  Secu¬ 
rity  Standard,  PCI  for  short. 

Among  them: 

■  Compensating  controls  to  manage  data 
flow  into  and  out  of  the  various  point- 
of-sales  technologies.  PCI  includes 
provisions  for  such  controls  for  differ¬ 
ent  sorts  of  retailers; 

■  encryption  protocols  for  transmitting 
data  between  different  parts  of  point- 
of-sale  systems,  such  as  the  bar-code 
scanner  and  the  credit  card  swiper— 
VeriFone’s  VeriShield  is  a  popular 
example; 

■  better  data  storage  practices,  like 
changing  software  commands  to  avoid 
storing  certain  types  of  data; 

■  for  data  that  is  stored,  using  encryption 
systems; 

■  wireless  credit  card  readers  like  the 
Exadigm  XD2000,  which  include  built- 
in  security  and  reduce  potential  credit 
card  fraud  by  making  sure  the  credit 
card  never  leaves  its  owner’s  hands. 

WAITER,  THERE’S  A 
HACKER  IN  MY  SOUP 

But  it’s  a  gigantic  challenge  to  get  new  tech¬ 
nology  out  to  the  millions  of  points  of  sale, 
which  range  from  the  big  box  retailers  to  the 


Nomad  says  he  was  asked  by  a  friend  who 
managed  a  Bennigan’s  to  check  out  whether 
a  wireless  hub  in  the  restaurant  allowed  him 
to  gain  access  to  the  point-of-sale  terminal. 
He  was  able  to  do  so.  In  another  restaurant 
with  a  wireless  hub,  he  found  he  could  alter 
orders  at  the  point  of  sale. 

Wireless  networks  can  become  inse¬ 
cure  even  after  a  retailer  thinks  it’s  taken 
all  the  right  steps  to  secure  them,  says  Peter 
Evans,  vice  president  of  marketing  at  IBM 
Internet  Security  Systems.  Evans  says  wire¬ 
less  access  points  are  often  set  to  default  to 
insecure  settings.  So  after  a  power  outage  or 
a  reset,  the  security  settings  would  default 
to  off,  and  the  retailers  might  not  know  for 
months  that  their  information  was  vulner¬ 
able  to  hackers. 

Evans  says  it’s  also  simple  to  put  a  data 
skimmer  on  credit  card  swipe  readers  with¬ 
out  anyone  noticing.  In  fact,  he  says  that 
recently,  “I  was  a  victim  of  one  of  these.” 

In  his  case,  he  says  he  was  fortunate 
that  his  credit  card  provider’s  algorithms 
were  able  to  detect  fraudulent  usage  when 
his  credit  card  data  was  used,  and  the  thief 
was  nabbed. 

Meanwhile,  the  PCI  Security  Standards 
Council  certifies  software  for  use  with 
point-of-sale  systems.  But  Tom  Wabiszc- 


Missing  merchandise  is  a  visible, 
countable  problem  for  retailers. 
Stolen  customer  data  is  murkier . 


Internet  Protocol,  which  offers  great  flex¬ 
ibility  but  has  inherent  security  issues. 
Retailers  also  tend  not  to  encrypt  data, 
and  have  been  aggressive  about  adopting 
wireless  technologies,  which  are  harder  to 
secure  than  wired  ones. 

It  is  perhaps  a  small  wonder  that  the 
biggest  known  data  theft  to  date  occurred 
at  a  retailer,  TJ  Maxx,  or  that  high-profile 
data  attacks  have  happened  at  Hannaford’s, 
Lowe’s,  Stop  &  Shop  and  other  retailers. 

In  the  last  few  years,  a  series  of  improve¬ 
ments  in  process  and  technologies  have 
improved  point-of-sale  cybersecurity. 
Some  of  these  improvements  come  thanks 
to  the  efforts  of  card  issuers  like  American 
Express,  MasterCard  and  Visa,  which  cre- 


fitness  club  to  the  restaurants  to  the  comer 
gas  station.  Each  kind  of  retailer  presents 
its  own  problems. 

Avivah  Litan,  a  Gartner  analyst,  notes 
that  gas  stations  have  a  PCI  exemption 
until  2010,  in  part  because  credit  card  read¬ 
ers  tend  to  be  integrated  into  gas  pumps,  so 
upgrading  the  card  reader  means  upgrading 
the  pump,  a  very  pricey  proposition.  In  the 
meantime,  pumps  at  the  gas  station  feed  to  a 
server,  which  might  feed  to  a  regional  server 
and  then  on  to  one  at  a  headquarters  opera¬ 
tion,  each  a  potential  point  of  weakness. 

Many  retailers  have  flocked  to  wireless 
technology,  which  can  create  more  flexible 
floor  layouts  and,  for  restaurants,  can  draw 
customers.  But  the  white-hat  hacker  Simple 


zewicz,  a  security  consultant  at  NeoHapsis, 
one  of  the  six  Qualified  Incident  Response 
Assessors  (QIRA)  under  PCI’s  Cardholder 
Information  Security  Program  (CISP),  says 
issues  persist.  Over  the  course  of  the  year, 
he’s  run  into  situations  where  companies 
have  secure  servers,  but  Windows-based, 
point-of-sale  terminals  sitting  directly 
on  the  Internet  are  effectively  wide-open 
to  attack. 

He’s  also  seen  companies  that  were  stor¬ 
ing  Track  2  data  unencrypted.  Track  2  data 
can  be  used  to  recreate  a  credit  card,  and  in 
one  case  he  saw  at  a  U.S.  retailer,  its  Track 
2  data  was  being  sniffed  and  used  to  cre¬ 
ate  fraudulent  credit  cards  that  were  being 
used  days  later  in  Tokyo. 


26  www.csoonline.com  November  2008 


He  says  some  problems  are  caused  when 
companies  upgrade  to  a  PCI-compliant  ver¬ 
sion  of  their  software  without  getting  rid  of 
the  old  software,  or  with  older,  unencrypted 
data  in  databases.  Wabiszczewicz  says  that 
“they’re  doing  things  correctly  from  that 
point  on,  but  what  about  the  leftover  data 
from  the  database,  or  the  previous  version 
that  didn’t  encrypt  the  credit  card  number 
or  stored  Track  2  data?” 

Wabiszczewicz  recommends  that  any 
such  upgrade  should  include  a  complete 
reinstall  of  the  entire  system. 

Despite  these  myriad  issues,  Wabiszc¬ 
zewicz  says  it  is  relatively  straightforward 
to  protect  today’s  point-of-sale  systems.  “If 
you  have  a  correct  policy,  you  train  employ¬ 
ees,  limit  what  they  can  do  on  the  front  end 
of  the  POS  system  and  you’re  running  PCI- 
compliant  point-of-sale  software,  you  are  in 
very  good  shape,”  he  says. 

GRADE-A  UPGRADE 

For  companies  that  are  installing  brand 
new  point-of-sale  systems,  they  have  a 
much  better  chance  of  being  secure  from 
the  get-go. 

That’s  the  course  followed  by  Original 
Pizza  Pan,  in  North  Ridgeville,  Ohio.  A 
25-year-old  operation,  it  went  through  a 
franchise  boom  in  the  last  few  years,  and 
now  has  about  100  locations.  It  had  never 
used  a  formal  point-of-sale  system  in  its 
stores,  and  in  2007  decided  that  it  was  time 
to  get  one.  A  secure  system  was  one  of  its 
priorities,  though  it  was  about  fourth  on  its 
priority  list,  behind  things  like  ease  of  order¬ 
ing,  better  customer  service  and  building 
databases  of  customers,  says  Edward  Rizk, 
the  firm’s  development  director. 

Rizk  says  that  he  picked  a  vendor,  Dia- 
mondTouch,  that  develops  systems  specifi¬ 
cally  for  pizza  stores.  But  it  was  a  big  plus 
that  it  offered  managed  security  services 
and  also  gave  them  the  option  to  integrate 
a  surveillance  camera  with  the  point-of-sale 
system.  Such  systems  time-stamp  the  video 
every  time  the  cash  register  drawer  opens, 
allowing  store  owners  to  monitor  whether 
money  is  staying  where  it  belongs. 

The  systems  don’t  use  wireless  at  all; 
DiamondTouch  encourages  franchisees  to 
change  their  passwords  on  a  monthly  basis 
and  makes  sure  they’re  encrypting  their 
data.  The  franchisees  are  not  expected  to 
send  data  on  operations  or  customers  back 


THE  ELEMENTS  OF  POINT 
OF  SALE  INCLUDE 

■  the  cash  register 

-  the  bar-code  scanner 

■  wireless  access 

■  the  in-store  voice 
or  IP  network 

-  the  store  inventory 
management  system. 


to  the  central  office,  Rizk  says. 

Even  so,  the  system  isn’t  ironclad. 
Original  Pizza  Pan  wants  its  store  owners 
to  store  their  data  on  a  separate  computer 
as  a  backup.  Rizk  says,  “I  recommend  to 
my  franchises  that  they  download  their 
database  to  a  computer  that  does  not  have 
Internet  access.”  But  whether  they  really 
listen  to  him,  he  doesn’t  know.  “That’s  their 
business,”  he  says. 

Rizk  is  in  the  enviable  position  of  being 
able  to  start  from  scratch.  Most  established 
retailers  don’t  have  that  luxury,  says  RSR’s 
Kilcourse.  Worse,  a  large  retailer  probably 
has  the  ultimate  distributed  computing 
environment,  which  makes  them  a  huge 
headache  to  upgrade. 

“If  you  have  3,000  stores  with  10  to  12 
point-of-sale  systems  apiece,  you  have  a 
management  problem  of  very  large  propor¬ 
tion,”  Kilcourse  says.  “How  do  you  safely 
upgrade  so  many  systems?  And  if  you’re 
going  to  do  it,  how  do  you  afford  the  cost?” 

He  says  that  it’s  almost  financially 
impossible  for  a  large  retailer  to  go  through 
a  major  replacement  of  point-of-sale  sys¬ 
tems.  In  fact,  he  says  he’s  heard  a  retail 
CIO  say  his  point-of-sale  system  was  “old 
enough  to  drink.” 

The  downturn  means  that  retailers  will 
likely  hang  on  to  technology  even  longer. 
The  threat  of  fines  for  not  complying  with 
PCI  is  spurring  companies  to  upgrade.  But 
it’s  hard  for  retailers  to  cost -justify  many 
types  of  technology  upgrades. 

For  instance,  chip-and-PIN  technol¬ 
ogy  for  credit  cards,  prevalent  in  Europe, 
is  more  secure  than  using  classic  magnetic- 
stripe  cards.  TJX  Vice  Chairman  Donald 
Campbell  told  The  Boston  Globe  in  late 
August  that  he’d  like  to  see  retailers,  banks 
and  card  issuers  pool  their  resources  and 
upgrade  all  cards  and  readers  to  the  chip- 


and-PIN  system.  The  cost:  about  $2  per 
credit  card  and  as  much  as  $500  per  reader, 
multiplied  by  12  million  readers.  Campbell 
told  the  Globe  that  it  would  probably  cost 
TJX  $20  million  to  upgrade  to  chip-and-PIN 
readers.  (TJX  did  not  respond  to  a  request 
for  comment  for  this  article.) 

Economic  downturns,  cost  obstacles 
and  technology  weaknesses  aside,  retailers 
will  continue  to  battle  the  threats  they  face. 
And  vendors  will  continue  to  try  to  make 
it  easier  to  battle  those  threats.  IBM,  on 
October  1,  announced  its  new  SecureStore 
initiative,  which  aims  to  help  store  owners 
better  manage  their  technology  centrally. 
Evans  says  that  part  of  IBM’s  motivation 
for  the  announcement  is  to  address  the 
scale  problem  that  retailers  face,  when  try¬ 
ing  to  upgrade  and  monitor  systems  spread 
out  at  literally  thousands  of  stores,  with 
perhaps  tens  of  thousands  of  points  of  sale. 
The  intent  is  that  companies  can  use  IBM 
server  and  management  technology  to  do 
remote  upgrades  and  monitoring  of  sys¬ 
tems  to  identify  situations  such  as  an  open 
wireless  network,  and  then  fix  it. 

“The  current  model  of  delivering  secu¬ 
rity  to  customers  is  broken— the  customer 
just  wants  security  to  go  away,”  Evans  says. 

IBM’s  management  effort  is  not  the  first, 
but  Kilcourse  says  it  was  probably  more 
holistic  than  others  on  the  market. 

La  Senza’s  Marcotte  is  a  likely  adopter 
of  Secure  Store  offerings.  He’s  already 
using  some  of  IBM’s  security  software, 
and  he’s  placed  a  purchase  order  for  IBM’s 
Tivoli  management  system  to  help  central¬ 
ize  upgrades  and  monitor  the  company’s 
roughly  1,000  point-of-sale  systems  across 
350  stores. 

Being  able  to  monitor  and  do  software 
upgrades  remotely  would  be  a  plus,  he  says, 
especially  since  La  Senza  tends  to  upgrade 
its  point-of-sale  terminals  roughly  every 
three  years,  which  he  calls  “heavy  work” 
for  the  six  people  who  work  on  point-of- 
sale  security  at  the  company. 

“This  centralized  approach  will  be 
huge,”  says  Marcotte. 

Of  course,  centralized  management  cre¬ 
ates  a  single  target  for  hackers  to  attack.  But 
in  security,  there  are  always  trade-offs.  ■ 

Michael  Fitzgerald  is  a  freelance  writer.  Send 
feedback  to  Editor  Derek  Slater  at  dslater@ 
cxo.com 


November  2008  www.csoonline.com  27 


irsmmmt&s 


m .  i 


‘Our  job  is  to  teach 
people  the  way  we 
think.” 

-Dennis  Devlin,  CISO, 
Brandeis  University 


You’ve  beefed  up  your  IT  security  arsenal 
and  you’re  focused  on  compliance.  But 
you’re  still  vulnerable.  Here’s  why. 


p|  ot  to  be  alarmist,  but  WAKE 
1%  I  UP,  PEOPLE!  Our  informa- 
tr'.  tion  security  is,  in  many  ways, 
'm  I  failing. 

Ask  the  11  alleged  hack- 
ers  charged  in  August  with 
breaking  into  TJX  and  other  retailers  by 
way  of  insecure  Wi-Fi.  Forty  million  credit 
and  debit  card  numbers  were  stolen.  Ask 
the  Medicaid  claims  processor  at  the  out¬ 
sourcer  EDS.  In  February  she  pleaded 


guilty  to  stealing  Social  Security  numbers 
and  dates  of  birth,  and  selling  them  for  use 
on  fake  tax  returns.  Ask  the  courier  hired 
by  the  University  of  Utah  Hospital  to  take 
backup  tapes  to  offsite  storage.  One  day 
in  June,  he  used  his  own  car  instead  of  his 
company’s  secured  van.  The  tapes,  contain¬ 
ing  billing  data  for  2.2  million  patients,  were 
stolen  from  his  front  seat. 

Or  you  could,  as  we  did,  ask  7,097  busi¬ 
ness  and  technology  executives  worldwide 


about  their  security  troubles.  In  this,  our 
sixth  year  of  conducting  the  “Global  State 
of  Information  Security”  survey  with  Price- 
waterhouseCoopers  (PwC),  we  got  an  earful 
about  the  challenges,  worries  and  wins  in 
security  technology,  process  and  personnel. 

Quantifying  returns  on  information 
security  projects  can  be  a  struggle,  often 
because  it’s  hard  to  put  a  dollar  value  on 
a  crisis  averted.  This  year,  a  bad  economy 
forces  decision  makers  to  squint  even 


<  '  f  •  *>  ' 


pi 


; 


Photo  by  Webb  Chappell 


November  2008  www.csoonline.com  29 


GLOBAL  SECURITY  SURVEY 


FUNDING  SOURCE  2007 

Functional  budgets  47% 

IT  budget  65% 

Security  budget  24% 

RESPONDENTS  CHOSE  ALL  THAT  APPLY 


harder  at  proposals.  Even  so,  survey  results  show  companies 
are  buying  and  applying  technology  tools,  including  software 
for  intrusion  detection,  encryption  and  identity  management, 
at  record  levels.  That’s  pretty  good  news. 

However— and  this  is  serious,  folks— 
too  many  organizations  still  lack  coher¬ 
ent,  enforced  and  forward-thinking 
security  processes,  our  survey  shows. 

While  59  percent  of  respondents  said 
they  have  an  “overall  information  secu¬ 
rity  strategy,”  that’s  up  just  two  points 
from  last  year  and  it’s  not  enough,  says 
Mark  Lobel,  advisory  services  principal 
at  PricewaterhouseCoopers.  Two  ele¬ 
ments,  Lobel  says,  correlate  with  lower 
numbers  of  security  incidents:  having  a 
C-level  security  executive  and  develop¬ 
ing  the  aforementioned  security  strat¬ 
egy.  But  disappointing  numbers  piled 
up  this  year.  For  instance,  56  percent  of 
respondents  employ  a  security  execu¬ 
tive  at  the  C  level,  down  4  percent  from 
last  year.  You  comb  network  logs  for 
fishy  activity,  but  just  43  percent  of  you 
audit  or  monitor  user  compliance  with 
your  security  policies  (if  you  have  them). 

This  is  up  6  percent  from  2007,  but  still 
“not  where  we  need  to  be,”  Lobel  says. 

As  a  result,  security  is  still  largely 
reactive,  not  proactive.  More-sophis¬ 
ticated  organizations  will  funnel  data 
from  network  logs  and  other  monitoring 
tools  into  business-intelligence  systems 
to  predict  and  stop  security  breaches.  So  along  with  encryption 
fanatics  and  identity  management  experts,  an  infosec  team 
needs  statisticians  and  risk  analysts  to  stay  ahead  of  trouble 
and  keep  the  company  name  off  police  blotters. 

Still,  while  our  survey  illuminates  continuing  problems,  in 
discovering  these,  we  also  see  a  path  to  safer  data  for  companies 
that,  yes,  apply  technology  but  also  develop  processes  and  make 


them  part  of  everyone’s  everyday  work.  So  it’s  not  all  grim.  What 
we  have  to  do  now  is  examine  our  failings,  then  act. 


Who  Pays  for  Security? 

Few  companies  have  dedicated  security 
budgets.  IT  is  still  a  common  source 
of  security  money,  but  funding  from 
business  functions  is  on  the  rise. 


2008 

60% 

57% 

24% 


Why  Companies  Care 

Business  continuity  and  compliance  lead 
the  reasons  for  investing  in  security 


57% 

Business  continuity  and  disaster  recovery 


Internal  policy  compliance 


Regulatory  compliance 

HHHHi  23% 

Digital  convergence  trends 


46% 


44% 


20% 


Outsourcing 


RESPONDENTS  CHOSE  ALL  THAT  APPLY 


44%  plan  to 
increase  security 
spending  in 
the  next  year. 


The  Big  Picture: 
Technology  Reigns 

Money  really  is  power,  isn’t  it? 
When  asked  to  indicate  any 
sources  of  funding  for  infor¬ 
mation  security,  57  percent  of 
survey  respondents  named  the 
IT  group  and  60  percent  cited 
functional  areas  such  as  mar¬ 
keting,  human  resources  and 
legal  as  major  providers.  Just  24 
percent  indicated  a  dedicated 
security  department  budget. 

With  the  IT  group  a  strong 
force,  technology  becomes 
the  answer  to  many  security 
questions.  To  someone  with 
a  hammer,  everything  looks 
like  a  nail,  according  to  the  old 
saw.  Divert  potential  phishing 
attacks  with  spam  filters.  Sty¬ 
mie  laptop  thieves  by  encrypt¬ 
ing  corporate  data. 

If  there’s  a  security  tool  out 
there,  our  survey  pool  uses  it. 

Companies  have  realized 
they  must  do  a  better  job  dis¬ 
posing  of  outdated  computer 
hardware;  for  example,  wiping 
disks  of  data  and  applications.  Sixty-five  percent  of  respondents 
now  have  tools  to  do  that,  up  from  58  percent  last  year.  More 
organizations  than  ever  are  encrypting  databases  (55  percent), 
laptops  (50  percent),  backup  tapes  (47  percent)  and  other  media. 
Use  of  intrusion-detection  software  also  is  up:  63  percent  this 
year  compared  with  59  percent  last  year.  And  installing  firewalls 
to  protect  individual  applications,  not  just  servers  and  networks, 
increased  to  67  percent  from  last  year’s  62  percent. 

That’s  good  stuff. 

Despite  these  technology-oriented  gains,  though,  disturb¬ 
ing  trends  continue  in  the  areas  of  security  processes  and 
personnel— some  negate  any  protection  an  IT  budget  can  buy. 
For  example,  encrypting  sensitive  data  makes  good  sense,  but 
such  technology  can’t  stop  an  employee  from  flouting  policies 
concerning  how  that  data  should  be  handled. 

If  the  goal  is  to  secure  information,  to  make  it  truly  safe, 
you’d  better  develop  processes  and  procedures  for  putting 
your  nails  in  the  right  place  before  whacking  anything  with  a 
technology  hammer.  Technology  must  be  part  of  a  larger  plan 
to  secure  information,  says  Dennis  Devlin,  chief  information 
security  officer  at  Brandeis  University.  Devlin  reports  to  Bran- 
deis’s  vice  president  and  provost  for  libraries  and  information 
technology. 


30  www.csoonline.com  November  2008 


Colleague 


Criminal  activity  becomes  the  focus  of 
a  lot  of  what  we  do  in  information  security. 

Lock  down  the  Wi-Fi  to  keep  out  the  bad 
guy.  (Got  that,  TJX?)  But  well-meaning  peo¬ 
ple  who  make  bad  decisions  inflict  untold 
numbers  of  security  incidents  upon  us, 

Devlin  says.  He’s  seen  it  at  Brandeis,  since 
joining  last  year,  and  at  Thomson  Corp., 
now  called  Thomson  Reuters,  where  he 
was  chief  security  officer  for  seven  years. 

For  example,  employees  sometimes  fall 
for  e-mail  scams  and  open  attachments 
that  unleash  malicious  software  such  as 
key- stroke  loggers  that  record  passwords 
and  rootkits  that  take  control  of  operat¬ 
ing  systems.  Devlin  says  the  job  of  security 
managers  is  to  teach  self-defense.  Rather 
than  warn  employees  to  watch  out  for  the 
latest  e-mail  scam  bearing  a  specific  subject 
line,  for  example,  the  idea  is  to  teach  people 
broader  lessons  about  the  risks  of  clicking 
on  unfamiliar  LIRLs,  opening  attachments 
or  handing  over  Social  Security  numbers  to 
anyone  online,  he  says. 

“It’s  not  possible  with  technology  to  protect  every  individual 
from  every  possible  security  risk,”  he  says.  “Our  job  is  to  teach 
people  to  think  the  way  we  think.” 

Like  Brandeis,  more  organizations  seem  to  be  trying  that. 
This  year,  54  percent  of  survey  respondents  said  they  provide 
employees  with  security  awareness  training,  up  from  42  per¬ 
cent  last  year. 

But  there’s  plenty  of  work  to  do.  Just  41  percent  of  those  sur¬ 
veyed  require  employees  to  undergo  training  on  the  corporate 
privacy  policy  and  practices,  up  incre¬ 
mentally  from  last  year’s  37  percent. 

Forty-three  percent  of  organizations— 
slightly  higher  than  last  year— don’t  take 
the  simple  step  of  posting  their  privacy 
policies  on  their  internal  websites. 

Furthermore,  what’s  taught  at  many 
organizations  provides  only  a  veneer  of 
security,  namely,  compliance  with  gov¬ 
ernment  or  industry  regulations. 

Checklist  Security 

Regulations  such  as  the  Health  Insur¬ 
ance  Portability  and  Accountability  Act 
for  medical  data,  Sarbanes-Oxley  for 
financial  data  and  the  Payment  Card 
Industry  standard  for  credit  card  data 
continue  to  move  executives  to  action. 

The  threats  of  fines  and  jail  time  tend 

to  do  that.  For  example,  44  percent  of 

respondents  say  they  test  their  organization  for  compliance 

with  whatever  laws  and  industry  regulations  apply,  up  from 


Secure  Those  BlackBerrys! 

14%  of  security  incidents  in  the 
past  year  involved  devices. 


Who’s  in  Charge  of 
Information  Security? 

CISOs  often  report  to  more  than 
one  executive.  At  large  companies, 
one  of  them  is  most  likely  the  CIO. 

Among  big  companies  with  CISOs, 
44%  report  to  the  CIO,  compared 
to  36%  at  mid-market  companies. 

We’ve  Been  Hit! 

How  organizations  learn 
of  security  incidents: 


■■  I  39% 

Server  or  firewall  files  and  logs 

■■■ft  1  37% 

Intrusion  detection/prevention  system 


RESPONDENTS  CHOSE  ALL  THAT  APPLY 


40  percent  last  year;  43  percent  say 
they  monitor  user  compliance  with 
security  policy,  a  healthy  increase 
from  last  year’s  37  percent.  Assess¬ 
ing  internal  risks  to  compliance  is 
something  55  percent  are  doing,  up 
from  49  percent. 

But  let’s  not  pass  around  atta- 
boys  too  quickly.  Note  that  even 
with  such  positive  steps,  those 
numbers  are  far  from  100  percent. 
Many  organizations  aren’t  doing 
much  beyond  checking  off  the  items 
spelled  out  in  regulations,  and 
basic  safeguards  are  being  ignored, 
says  Karen  Worstell,  a  managing 
principal  at  the  consulting  firm  W 
Risk  Group,  former  chief  informa¬ 
tion  security  officer  at  Microsoft, 
and  former  CISO  and  VP  of  IT  risk 
management  at  AT&T. 

Adhering  to  regulations  and 
standards  doesn’t  amount  to  thor¬ 
ough  security  policy,  Worstell  says, 
for  many  reasons.  For  one,  organizations  can  sometimes  pass 
compliance  audits  simply  by  writing  up  policies,  without  dem¬ 
onstrating  how  they  adhere  to  them.  Other  times,  the  standard 
or  regulation  may  have  holes. 

PCI,  for  example,  mandates  that  a  firewall  be  installed  to 
protect  cardholder  data.  But  Worstell  says  the  standard  doesn’t 
address  whether  a  company  has  processes  to  ensure  that  once 
a  piece  of  technology  is  installed,  it’s  regularly  upgraded  or 
monitored  to  see  how  effective  it  is.  “If  security  stops  at  PCI, 

that’s  not  enough,”  she 


36% 


Leader  and  Laggard 

Financial  services  companies  have 
adopted  security  best  practices  most 
widely.  The  consumer-products  and 
retail  industries  lag  the  rest. 


says.  Hannaford  Super¬ 
markets  experienced 
the  theft  of  customer 
credit  and  debit  card 
data  from  December 
2007  to  last  March,  a 
period  when  the  gro¬ 
cery  chain  was  certified 
compliant  with  PCI, 
“the  highest  security 
standards  required  by 
the  credit  card  industry,” 
the  company  says. 

Neither  is  it  enough 
if  security  monitoring 
stops  within  your  own 
four  walls.  But  that’s 
exactly  what’s  hap¬ 
pening.  A  dirty  secret 
uncovered  in  this  year’s 
poll  reveals  that  companies  don’t  know,  and  apparently  don’t 
care  to  know,  what  happens  to  their  data  once  they  hand  it  to 


CONSUMER 

PRODUCTS/ 

FINANCIAL 

PRACTICE 

RETAIL 

SERVICES 

Employs  a  C50  or  CISO 

43% 

83% 

Has  an  information-security  strategy 

52% 

75% 

Runs  personnel  background  checks 

47% 

69% 

Involves  business  and  IT  decision  makers 

with  information  security  issues 

47% 

67% 

Dedicates  staff  for  employee 
awareness  programs 

41% 

60% 

Provides  security  baselines  for 
external  partners 

40% 

59% 

Has  an  information  security  budget 

18% 

37% 

November  2008  www.csoonline.com  31 


GLOBAL  SECURITY  SURVEY 


another  company.  Get  ready  to  be  disturbed. 


Outsourced  Out 
of  Sight,  Security 
Out  of  Mind 

Here’s  one  of  the  most  worrisome  of 
our  findings  this  year:  A  skimpy  22  per¬ 
cent  of  respondents  keep  an  inventory 
of  all  the  outside  companies  that  use 
their  data. 


operation,”  he  says,  adding,  “It  does  take  time  and  resources.” 
Companies  skip  this  security  check,  though,  because  it’s 


expensive  and  time-consuming,  says  PwC’s  Lobel.  Checking 


Alignment  Check 

28%  of  consumer  products  and  retail 
executives  said  their  company’s  security 
spending  is  poorly  aligned  or  not  aligned 
with  business  objectives,  compared  with 
14%  of  financial  services  executives. 


out  a  partner’s  security  and 
privacy  practices  would 
take  at  least  one  full-time 
employee  at  least  two  days 
for  the  smallest  company,  he 
estimates.  “A  large  company 
may  have  literally  thou¬ 
sands  of  partners,”  he  says. 


If  that  isn’t  enough  to  make  you 
wince,  we’ve  got  more.  Just  37  percent  of 
our  survey  respondents  require  third 
parties  handling  the  personal  data  of 
customers  or  employees  to  comply  with 
their  privacy  policies.  Even  fewer— 28 
percent— perform  due  diligence  of 
those  third  parties  to  understand  how 
or  whether  they  safeguard  information. 

Yet  75  percent  of  respondents  profess 
at  least  some  level  of  confidence  in  the 
effectiveness  of  their  partners’  security. 

Isn’t  that  rosy? 

Yet  due  diligence  on  any  outsiders  that  handle  your  data  is 
more  important  than  ever  as  companies  parcel  out  corporate 
work  of  all  sorts  to  third  parties,  says  Tom  Bowers,  manag¬ 
ing  director  of  Security  Constructs,  an  industry  analysis  firm 
specializing  in  trade-secret  protection  technologies.  In  that 
respect,  pharmaceutical  companies  can  teach  other  industry 
verticals  a  great  deal,  he  says. 

Bowers  was  senior  manager  of  global  information  security 
operations  at  Wyeth  Pharmaceuticals  for  seven  years  before 
starting  Security  Constructs.  Bowers’s  security  group  subjected 
potential  Wyeth  business  partners  to  detailed  scrutiny  of  their 
security  practices.  He  had  to.  “We  were  responsible  for  protect¬ 
ing  intellectual  property  no  matter  where  it  sat.  Here  or  with  an 
outsourced  clinical  trials  company  in  Dublin.  Wherever.” 

Ken  Harris,  CIO  at  Shaklee,  says  every  company  should 
make  sure  its  outsourcers  have  the  same  security  as  its  own— 
or  better.  “You  vet  the  security  and  disaster  recovery  of  your 
outsource  providers  in  the  same  way  you  would  vet  your  own 

SURVEY  METHODOLOGY  The  Global  state  of 
Information  Security"  survey,  a  worldwide  study  by  CIO,  CSO 
and  PricewaterhouseCoopers,  was  conducted  online  from  March 
25, 2008,  through  May  19, 2008.  CIO  and  CSO  print  and  online 
customers  and  clients  of  PricewaterhouseCoopers  from  around 
the  globe  were  invited  to  take  the  survey.  The  results  shown 
in  this  report  are  based  on  responses  from  7,097  security  and 
information  technology  professionals  from  more  than  100 
countries.  Thirty-nine  percent  of  respondents  were  from  North 
America,  followed  by  Europe  (27%),  Asia  (17%),  South  America 
(15%)  and  the  Middle  East  and  South  Africa  (2%).  The  margin  of 


Protect 
Information, 

Not  Just 
Systems 

Where  data  is  and 
where  it’s  going  constantly 
worries  information  secu¬ 
rity  managers.  Thirty-eight 
percent  of  the  managers  we 
surveyed  said  they  expe¬ 
rienced  one  to  49  security 
events  in  the  past  year,  and  another  35  percent  say  they  don’t 
know  whether  they  have  been  hit.  Those  figures  are  close  to 
last  year’s  results. 

Among  those  in  our  survey  who  experienced  incidents,  39 
percent  found  out  about  them  via  server  or  firewall  logs,  and 
37  percent  used  intrusion  detection  or  prevention  systems.  But 
a  significant  number— 36  percent— say  a  colleague  clued  them 
in.  These  figures  reflect  an  unchanging  trend  showing  that  the 
human  element  is  just  as  important  as  any  technological  one 
when  it  comes  to  good  security.  More  evidence  of  the  need  for 
diligent  and  repeated  employee  training. 

What’s  in  Your  Toolbox? 

With  the  IT  group  as  a  major  source 
of  funding  for  information  security 
projects,  technology  has  become  the 
answer  to  many  security  questions. 

More  respondents  now  have  a 
comprehensive  set  of  IT  security  tools. 


TECHNOLOGY 

2007 

2008 

Malicious-code  detection  tools 

80% 

84% 

Application-level  firewalls 

62% 

67% 

Intrusion  detection 

59% 

63% 

Intrusion  prevention 

52% 

62% 

Encryption 

Database 

45% 

55% 

Laptop 

40% 

50% 

Backup  tape 

37% 

47% 

Automated  password  reset 

40% 

45% 

Wireless  handheld  device  security 

33% 

42% 

Spending  More 

Investment  in  security  is  going  up,  especially 
in  the  mid-market.  Few  are  making  cuts. 


COMPANY  REVENUE 

LESS  THAN 

$100  MILLION- 

$1  BILLION 

SPENDING  PLAN 

$100  MILLION 

$999  MILLION 

OR  MORE 

Increase 

46% 

55% 

50% 

Stay  the  same 

38% 

28% 

26% 

Decrease 

4% 

5% 

7% 

Don’t  Know 

12% 

12% 

18% 

NUMBERS  MAY  NOT  EQUAL  TO  100%  DUE  TO  ROUNDING 


error  for  this  study  is  +/•  1%. 


RESPONDENTS  CHOSE  ALL  THAT  APPLY. 


32  www.csoonline.com  November  2008 


Four  Ways  to 
Maximize  Your 
Security  Budget 

BUSINESSES  ARE  INVESTING 
MORE  IN  SECURITY.  BUT  WHAT 
IF  YOURS  ISN’T  ONEOFTHEM? 
YOU  CAN  GET  MORE  FROM 
THE  BUDGET  YOU  HAVE. 


1.  Keep  on  training.  Security 
consultant  John  Bambenek  notes 
that  there  are  plenty  of  open- 
source  tools  available  for  security 
shops  that  can’t  afford  the  latest 
and  greatest  defenses.  Existing 
commercial  tools  can  also  be 
better-maintained  or  tweaked 
with  the  right  scripts.  But  to  make 
these  things  work,  employees  need 
constant  training.  “Trained  staff 
know  how  to  make  the  most  of  their 
abilities  to  getthe  job  done,  even 
without  commercial  tools,”  he  says. 


2.  Increase  security  awareness. 

An  aware  workforce  can  be  enough 
to  make  the  difference  when  you  ■ 
can’t  spend  more  money,  says  Ernie 
Hayden,  a  principal  at  443  Consult¬ 
ing  and  former  CISO  of  the  Port  of 
Seattle.  Through  training,  education 
and  continuous  “rifle-shot  guerrilla 
marketing  techniques,”  a  company 
can  condition  employees  to  be 
paranoid  of  e-mail  attachments 
and  URLs  sent  by  strangers,  or  to 
be  more  cognizant  of  any  trouble 
fellow  employees  may  be  up  to. 

3.  Pay  attention  to  morale.  Cut  the 

red  tape.  Employees  will  be  happier 
if  it’s  easier  to  get  their  work  done, 
notes  Joseph  Guarino,  CEO  and 
senior  consultant  for  Evolutionary  IT. 
And  watch  what  you  cut  from  your 
budget.  When  the  money  supply 
runs  dry,  employees  understand  if 
the  free  snacks  in  the  office  kitchen 
have  to  go  away.  But  slice  too 
deeply  into  discretionary  expendi¬ 
tures  like  professional  development 
programs,  and  employee  morale 
will  tank,  says  Richard  Parry,  head 


of  global  security  for  Novartis 
Institutes  for  BioMedical  Research. 
In-house,  cross-functional  training 
helps,  too,  by  providing  “interesting 
variations  in  their  daily  duties.” 

4.  Simplify  IT.  Cutting  down  on 
IT  complexities  and  embracing 
security  compliance  controls  will 
lessen  the  chances  of  a  mistake- 
fueled  catastrophe,  says  Atlanta- 
based  strategic  architect  James 
DeLuccia.  One  common  require¬ 
ment  of  regulatory  compliance  is 
to  reduce  network  complexities 
and  redundancies  so  data  can  be 
better  tracked  and  protected.  Fewer 
complexities  also  mean  fewer 
opportunities  for  a  security  failure, 
especially  in  an  organization  where 
staffing  and  tech  savvy  are  in  short 
supply. 

Bill  Brenner  is  a  senior  editor  with 
CSO  magazine.  To  read  a  longer  ver¬ 
sion  or  comment  on  this  story,  go  to 
www.csoonline.com/article/403713. 


November  2008  www.csoonline.com  33 


GLOBAL  SECURITY  SURVEY 


Investing  employees  with 
responsibility  for  keeping  data 
correct  and  protected  is  the  best 
way  for  a  company  to  guard 
against  security  threats,  says 
Tim  Stanley,  CISO  at  Continen¬ 
tal  Airlines. 

Stanley  wants  to  categorize 
every  file  in  the  enterprise  by 
three  variables:  owner,  business 
value  and  risk  level.  The  govern¬ 
ment  has  “top  secret,”  “secret” 
and  “confidential”  ratings,  but 
Continental’s  designations  will 
be  more  granular  and  dynamic, 
using  tiers  and  subsets  of  tiers. 

Thinking  this  way  vaults  Conti¬ 
nental  ahead  of  most  companies. 

Just  24  percent  report  that  clas¬ 
sifying  the  business  value  of  data 
is  part  of  their  security  policies.  While  68  percent  classify  their 
data  according  to  risk  level,  at  least  periodically,  30  percent 
don’t  ever  do  it. 

The  complexity  of  such  a  project  explains  the  low  numbers, 

Lobel  says.  “Doing  this  project  is  a  lot  of  effort,  and  unless 
there’s  a  regulatory  need  for  it,  many  don’t  do  it.” 

Stanley  expects  the  project  to  take  three  or  four  years.  “Any¬ 
thing  that  keeps  planes  in  the  air  and  money  coming  through 
is  Tier  1,”  Stanley  explains.  That  would  include  information 
about  crew  scheduling,  and  cargo  and  fuel  needs,  as  well  as 
credit  card  processing  information.  Tier  2  or  3  is  still  important 
to  protect,  but  not  critical  to  keeping  planes  aloft,  for  example, 
providing  employees  access  to  their  40i(k)  accounts. 

Security  technology  and  procedures  will  correspond  to  the 
risk  and  tier  level  in  which  a  piece  of  data  falls,  as  defined  by  the 
data  owner.  Tier  1  may  mandate  twice-a-day  backups  and  two- 
factor  user  authentication,  he  says.  “I  can  expend  my  resources 

Only  24% 
classify  the 
business  value 
of  data  as  part  of 
security  policies. 


Continental  Shifts 

On  average, 
companies  in  North 
America  plan  the 
smallest  increases  to 
their  security  budgets 

AVERAGE  INCREASE 

■  5% 

North  America 

■  :  10% 

South  America 


6% 

Europe 


Ignorance  Isn’t  Bliss,  Part  1 

Nearly  half  of  respondents  can’t  identify 
vulnerabilities  that  led  to  security  incidents 

METHOD  OF 


EXPLOITATION 

2007 

2008 

Unknown 

45% 

44% 

Network 

23% 

20% 

Application 

14% 

17% 

Data 

18% 

16% 

System 

18% 

15% 

Human  (through 

16% 

15% 

social  engineering) 

RESPONDENTS  CHOSE  ALL  THAT  APPLY 

Ignorance  isn’t  Bliss,  Part  2 

Employees  and  former  employees  together 
remain  the  biggest  threat.  But  the  source  of 
nearly  half  of  security  incidents  is  unknown. 

SOURCE  OF 


INCIDENT 

2007 

2008 

Unknown 

* 

42% 

Employees 

48% 

34% 

Hackers 

41% 

28% 

Former  employees 

21% 

16% 

Business  partner 

19% 

15% 

Customer 

9% 

8% 

Other 

20% 

8% 

Terrorist/Foreign 

6% 

4% 

government 

RESPONDENTS  CHOSE  ALL  THAT  APPLY 
*  NOT  A  CHOICE  IN  2007 


more  appropriately  to  our  data’s  value  and  therefore  save  the 
company  money,”  he  says.  “Stop  spending  ten  dollars  to  protect 
five  dollars  worth  of  data.”  Music  to  an  airline  CEO’s  ears. 

Which  Brings  Ils  Back  to  Money 

With  security  budgets  averaging  $1.7  million,  an  optimistic 
44  percent  of  those  surveyed  said  their  information  security 
spending  would  increase  this  year,  wrhile  4  percent  expected  a 
decrease.  Where  will  the  money  go?  We  see  glimmers  of  hope. 

Top  priorities  in  the  coming  year  include  hiring  information 
security  consultants  and  hiring  a  CISO.  Respondents  also  plan 
to  develop  security  procedures  for  handheld  devices  and  create 
an  identity  management  strategy.  They  expect  to  invest  in  tech¬ 
nologies,  including  biometrics,  to  tighten  access  to  sensitive  data, 
as  well  as  in  data-leakage  prevention  and  security  event  corre¬ 
lation  tools  to  start  analyzing  what  works  and  what  doesn’t  on 
which  kinds  of  security  problems. 

These  steps,  Lobel  says,  will  get  companies  closer  to  a  com¬ 
prehensive  security  strategy.  Already,  he  notes,  40  percent  of 
organizations  use  security  as  a  marketing  point,  usually  solic¬ 
iting  business  on  the  grounds  that  they  protect  customer  data 
better  than  their  rivals.  “But  it’s  only  a  competitive  advantage 
if  it  works,  if  it’s  good  security.”  ■ 


Senior  Editor  Kim  S.  Nash  can  be  reached  At  knash@cio.com  Tocom- 
menton  this  article,  go  to  www.csoonline.com/article/454939. 


34  www.csoonline.com  November  2008 


Proven  Protection  for  POS  Svstems 


Download  the  Nl 
Host 


solidcore.com/POS 


Sf  Dynamic  Whitelisti 
□  Continuous  File 

Better 

sf  PCI  D! 


m 


[  INDUSTRY  VIEW] 

Matt  Bancroft,  Mformation 


Five  Mobile  Security  Trends 
Keeping  CIOs  up  at  Night 


The  pace  of  mobilization  within 
many  enterprises  is  increas¬ 
ing  rapidly.  Enterprises  of  all 
sizes  and  types  are  finding  that 
going  mobile  can  significantly 
increase  the  productivity  of  their  employees, 
bringing  added  flexibility  and  cost  reduc¬ 
tions,  and  helping  many  companies  gain  a 
competitive  edge  in  their  market. 

In  a  survey  of  CIOs  of  top-500  compa¬ 
nies,  undertaken  by  independent  research 
firm  Coleman  Parkes,  81  percent  of  the 
CIOs  interviewed  reported  that  they  have 
seen  significant  productivity  increases 
from  their  mobile  investments,  and  the 
same  percentage  expect  further  significant 
productivity  increases  from  new  mobile 
products  over  the  next  five  years. 

It  comes  as  no  surprise,  then,  that 
enterprises  are  providing  a  growing  num¬ 
ber  of  management  and  staff  with  mobile 
devices  equipped  to  access  corporate  data 
and  applications. 

In  addition,  enterprises  are  embarking 
on  initiatives  that  will  significantly  increase 
their  use  of  mobile  applications.  As  mobile 
and  wireless  solutions  become  increas¬ 
ingly  important  to  an  organization’s  overall 
business  strategy,  they  are  also  becoming 
increasingly  important  to  an  organization’s 
IT  strategy.  Security  issues  consistently  top 
the  list  of  IT  concerns— nearly  eight  out  of 
10  of  the  CIOs  surveyed  indicated  concerns 
about  the  proliferation  of  their  company’s 
corporate  data  and  the  attendant  security 
implications. 

A  number  of  trends  are  driving  the  need 
for  better  mobile  device  management  and 
security.  The  combination  of  an  increas¬ 
ingly  varied  set  of  mobile  devices  with 
increasing  memory,  power  and  portability, 
combined  with  a  trend  toward  more  pow¬ 


erful,  IP-based  network  infrastructures, 
is  creating  a  fertile  ground  for  the  migra¬ 
tion  of  Internet-based  threats  into  the 
mobile  space.  At  the  same  time,  new  and 
powerful  mobile  applications  are  being 
launched,  and  security  threats  are  becom¬ 
ing  increasingly  sophisticated.  These  are 
among  the  issues  keeping  CIOs  and  CSOs 
up  at  night. 

TREND  1:  More  powerful  and  less  expen¬ 
sive  mobile  devices  are  becoming  ubiqui¬ 
tous  and  are  as  irreplaceable  as  any  PC  or 
laptop,  significantly  increasing  the  risks 
from  loss  and  theft.  Mobile  handsets  are 
becoming  more  powerful  with  each  new 
release,  to  the  point  where  the  newest  and 
smartest  mobile  devices  are  more  like 
handheld  computers  than  cellular  phones. 
And  with  every  product  release,  the  devices 
have  more  capabilities  and  cost  less.  As  an 
example,  the  8GB  iPhone  3G  coming  out 
this  month  will  cost  a  mere  $199,  com¬ 
pared  to  the  original  8GB  iPhone  that 
cost  $599  when  it  was  first  introduced 
last  year  and  $399  just  a  few  months  ago. 

The  same  trend  is  playing  out  with  other 
smart  devices,  including  BlackBerry, 
Windows  Mobile  and  Symbian  devices. 

Network  providers  have  made  their 
pricing  models  more  attractive  to  enter¬ 
prises  as  well.  Rather  than  per-minute, 
per-transaction  or  per-byte  pricing, 
which  is  difficult  to  budget  for  and  there¬ 
fore  very  unattractive  to  enterprises,  data 
services  are  being  offered  in  attractive 
pricing  bundles,  including  “all-you-can- 
eat”  packages. 

With  this  sort  of  power  in  such  a  small 
and  portable  package,  many  executives  and 
managers  are  finding  their  mobile  handset 
to  be  as  irreplaceable  as  any  PC  or  laptop. 


Unlike  PCs  and  laptops,  however,  mobile 
devices  carry  an  equally  significant  amount 
of  information  in  a  much  smaller  and  more 
portable  package  that  is  incredibly  easy  to 
misplace,  lose  or  steal,  significantly  increas¬ 
ing  the  risk  to  the  enterprise. 

TREND  2:  A  move  toward  more  powerful, 
IP-based  network  infrastructures  is  lead¬ 
ing  to  increased  use  of  data-heavy  mobile 
services,  which  need  more  sophisticated 
management.  Wide-area  networks  are  con¬ 
tinually  being  enhanced  to  deliver  the  band¬ 
width  necessary  to  support  new  data-heavy 
mobile  services  and  applications.  These 
enhanced  networks  offer  improved  breadth 
of  coverage  and  reliability— key  objectives 
for  most  mobile  operators.  UMTS  (Uni¬ 
versal  Mobile  Telecommunications  Sys- 


36  www.csoonline.com  November  2008 


tem)  in  GSM-based  networks  and  EV-DO 
(Evolution-Data  Optimized)  in  CDMA- 
based  networks  both  represent  significant 
improvements  in  these  areas. 

Fourth-generation  networks  such  as 
WiMAX  (Worldwide  Interoperability  for 
Microwave  Access)  are  now  being  rolled 
out,  enabling  ever  more  sophisticated,  data- 
heavy  mobile  services  and  applications. 
Third-generation  LTE  (Long  Term  Evolu¬ 
tion)  and  other  all-IP  variants  are  shortly 
to  follow. 

More  than  a  decade  of  R&D  has  gone 
into  securing  PCs  and  laptops  connected 
to  the  Internet  and  corporate  intranets. 
These  technologies  are  now  commonplace 
in  enterprise  networks.  The  same  level  of 
attention  needs  to  be  paid  to  these  highly 
portable  wireless  devices  if  they  are  to  suc¬ 
ceed  in  the  enterprise.  However,  simply 
porting  PC-style  security  and  management 
systems  to  the  wireless  arena  ignores  the 
very  small  form  factor,  extreme  portability 
and  vastly  different  usability  expectations 
that  are  unique  to  mobile  devices  and  wire¬ 
less  connections.  IT  organizations  are  find¬ 
ing  that  they  need  to  find  a  middle  ground, 
leveraging  some  of  the  R&D  done  in  the 
PC/laptop  arena  while  keeping  the  unique 
needs  and  the  requirements  of  the  mobile 
device  in  mind  to  ensure  the  mobile  experi¬ 
ence  is  not  negatively  affected  in  any  way. 

TREND  3:  Increased  numbers  of  corporate 
users  of  mobile  devices  accessing  company 
applications  and  data  at  all  levels  of  the 
enterprise  are  creating  a  huge  headache  for 
IT  departments.  Not  only  are  more  com¬ 
pany  executives  beginning  to  depend  on 
their  smart  mobile  devices,  but  also  staff 
at  all  levels  are  increasingly  “going  mobile.” 
Smartphone  use  is  rapidly  driving  down 
into  the  ranks  of  middle  management  and 
staff  workers.  Sixty-seven  percent  of  CIOs 
responding  to  the  Coleman  Parkes  survey 
reported  that  the  proportion  of  nonmana- 
gerial  staff  with  access  to  advanced  corpo¬ 
rate  mobile  devices  will  increase,  with  fully 
one-third  of  them  indicating  that  the  pro¬ 
portion  would  increase  significantly.  And 
in  many  cases,  when  the  enterprise  doesn’t 
supply  mobile  devices  to  employees,  they 
are  simply  using  their  personal  mobile 
devices  to  transact  company  business  and 
run  company  applications,  with  or  without 
the  knowledge  of  the  IT  organization. 


This  proliferation  of  devices  that  can 
access  company  applications  and  data  is 
creating  a  huge  headache  for  IT  depart¬ 
ments.  Not  only  do  they  need  to  minimize 
the  risk  associated  with  the  possible  loss, 
theft  or  misuse  of  a  growing  population  of 
devices,  but  they  also  need  to  find  ways  to 
manage  and  secure  everything  from  com¬ 
pany-issued  mobile  devices  to  a  host  of  dif¬ 
ferent  personal  and  partly  personal  mobile 
devices. 

TREND  4:  More  advanced  and  data-heavy 
mobile  applications  and  services  on  employ¬ 


ees’  mobile  devices  require  more  sophisti¬ 
cated  monitoring  and  management. 

Over  the  past  several  years  many  indus¬ 
tries  have  come  to  rely  upon  mobile  enter¬ 
prise  applications.  BlackBerry  devices,  for 
example,  have  become  de  rigueur  among 
investment  bankers  and  lawyers  who 
need  always-on  access  to  e-mail,  calen¬ 
dar  and  market  information.  Government 
organizations  are  using  mobile  devices  to 
capture  information  from  remote  govern¬ 
ment  employees  for  a  wide  range  of  tasks, 
including  Emergency  Medical  Services 
(EMS),  traffic  management  and  even  ani¬ 
mal  control  and  tracking.  In  the  healthcare 
industry,  physicians  and  case  workers  can 
now  capture  and  access  health  information 
at  point-of-care  using  their  mobile  devices. 
Popular  mobile  enterprise  applications 
used  across  all  industries  include  sales- 
force  automation,  field-force  automation, 
fleet  management,  inventory  management, 
mobile  tech  and  wireless  CRM. 

Employee  mobile  devices  often  con¬ 
tain  a  wide  range  of  applications  and  data 
files,  both  company-issued  and  personal. 
However,  according  to  the  Coleman  Parkes 
survey,  63  percent  of  CIOs  interviewed  do 
not  actively  monitor  the  types  of  data  that 
employees  are  storing  on  their  devices. 
Nothing  prevents  employees  from  installing 
data  and  applications  onto  their  devices  that 
could  cause  problems  for  the  company— 
from  unknowingly  circulating  viruses  to 


not  playing  well  with  corporate  systems  or 
adhering  to  corporate  security  policies. 

TREND  5:  More  and  more  sophisticated 
security  threats  are  appearing  as  new 
devices  provide  richer  targets. 

Although,  so  far,  infestation  of  wire¬ 
less  handsets  by  Internet-based  security 
threats  has  been  relatively  low,  new  threats 
to  mobile  devices,  including  malicious 
programs  (viruses,  worms  and  Trojan 
horses)  continue  to  appear.  In  just  the  last 
few  months,  two  new  Trojan  horse  viruses 
(one  targeting  Symbian  SMS  messages 


and  another  targeting  specific  Windows 
Mobile  programs),  two  new  worms  (one 
targeting  particular  Symbian  phones  and 
one  targeting  multimedia  cards)  and  a  new 
spyware  application  have  shown  up  in  the 
market.  Thankfully,  none  of  these  mali¬ 
cious  bits  of  code  have  caused  widespread 
damage.  However,  despite  the  fact  that  the 
current  threat  is  not  particularly  high,  most 
industry  experts  are  saying  that  the  iPhone, 
Android  and  mobile  devices  with  Wi-Fi  and 
other  broadband  capabilities  will  undoubt¬ 
edly  be  rich  targets  for  malware  and  viruses 
in  the  coming  years. 

Effective  management  of  a  company’s 
mobile  devices,  data  and  applications  will 
mean  faster  mobilization  of  enterprise 
applications,  which,  in  turn,  will  lead  to 
increased  employee  productivity  at  all  levels 
of  the  enterprise.  Recognition  of  the  trends 
driving  mobile  adoption  and  the  unique 
challenges  associated  with  managing  and 
securing  mobile  devices  is  a  good  first  step 
in  ensuring  that  corporate  data  is  protected 
and  the  business  is  kept  safe  while  it  moves 
forward  with  mobilization  initiatives.  The 
next  step  is  to  make  sure  policies  and  sys¬ 
tems  are  in  place  to  effectively  manage  and 
protect  mobile  devices,  data  and  applica¬ 
tions,  while  supporting  the  people  who 
increasingly  depend  on  them.  ■ 


Matt  Bancroft  is  chief  marketing  officer  of 
mobile  security  provider  Mformation. 


63  percent  of  CIOs  interviewed  do 
not  actively  monitor  the  types  of  data  that 
emp  oyees  are  storing  on  their  devices. 


November  2008  www.csoonline.com  37 


[  cso  view] 

By  Paul  Raines 


The  One-Way  Mirror 


If  you’re  an  American  and  want  a 
good  chuckle,  ask  a  European  the 
following  three  things:  Ask  them  to 
count  to  five  on  their  fingers.  Euro¬ 
peans  will  start  with  holding  out 
their  thumb  to  indicate  the  number  one, 
whereas  Americans  will  start  with  their 
index  finger.  Ask  how  they  would  carry  a 
bouquet  of  flowers.  Europeans  carry  them 
with  the  flowers  facing  down  so  that  the 
water  can  drain  toward  the  flowers).  Those 
are  things  Europeans  do  differently  from 
Americans.  The  last  question  is  something 
Europeans  do  the  same  as  Americans,  and 
it  will  surprise  you.  Ask  Europeans  what 
they  played  when  they  were  kids  and  they 
will  probably  say  the  same  thing  as  many 
American  children— cowboys  and  Indians. 

I  find  this  surprising.  Why  would  the 
folklore  and  events  of  a  relatively  short 
period  of  American  history  in  one  section 
of  the  country  (west  of  the  Mississippi 
River)  be  the  fodder  for  the  imagination 
and  entertainment  of  a  generation  of  Euro¬ 
peans?  But  in  fact,  Europeans  know  almost 
as  much  about  American  folk  legends  like 
Billy  the  Kid,  Jesse  James,  Sitting  Bull  and 
General  George  Armstrong  Custer  as  do 
Americans. 

The  reason  for  this  strange  anomaly 
is  the  predominance  of  American  televi¬ 
sion  and  movies.  European  television 
broadcasts  all  sorts  of  current  American 
programs.  American  movies  dominate 
the  cineplexes  there.  The  European  cafes 
and  discotheques,  for  the  most  part,  play 
American  music.  CNN  broadcasts  there 
with  much  of  the  same  reporting  of  cur¬ 
rent  events,  with  special  emphasis  on  the 
American  presidential  race. 

However,  Americans  know  very  little 
about  Europe.  It’s  a  bit  like  being  in  an 


observation  room  with  a  one-way  mirror. 
You  can  see  into  the  next  room,  which  is 
America,  but  the  Americans  in  that  room 
cannot  see  you. 

This  asymmetry  of  information  usu¬ 
ally  works  to  Americans’  disadvantage  in 
conversation.  For  example,  a  European  can 
intelligently  discuss  the  results  of  the  latest 
American  presidential  preference  poll  and 
what  the  foreign  policy  implications  would 
be  if  one  candidate  should  be  elected.  Yet 
the  American  would  be  hard  pressed  to 

Europeans  regard 
quality  management 
requirements  as 
an  integral  part  of 
security. 

name  the  leading  opposition  party  leader 
in  that  European  country,  let  alone  know 
what  his  various  policy  positions  might  be. 
Americans  needn’t  feel  ashamed  about  this 
because  it  is  not  their  fault.  It  is  simply  the 
result  of  the  American  dominance  of  media 
around  the  world  and  its  obsession  with 
reporting  trivial  stories  at  the  expense  of 
important  events  outside  of  America.  Does 
this  mean  that  American  security  manag¬ 
ers  are  destined  to  come  across  as  cultural 
ignoramuses  when  they  venture  across  the 
pond?  Not  necessarily.  Of  course,  it  helps 
to  become  familiar  with  local  customs, 
phrases  and  current  events.  Two  of  the 
best  free  resources  for  a  quick  crash  course 
on  a  country  can  be  found  at  the  U.S.  State 
Department’s  website  at  travel.state.gov/ 
travel,  and  the  United  Kingdom’s  Foreign 
and  Commonwealth  Office,  www.fco.gov.uk/ 
en/travelling-and-living-overseas. 


But  when  you’re  addressing  European 
colleagues,  don’t  hesitate  to  make  Ameri¬ 
can  cultural  references.  If  you  mention 
Oprah  or  Brad  and  Angelina,  Europeans 
will  all  know  exactly  who  you  are  speaking 
about.  If  you  use  the  analogy  of  Custer’s  last 
stand,  they  will  understand  it. 

That  doesn’t  mean,  of  course,  that  as  a 
security  manager  you  can  ignore  local  cus¬ 
toms  and  regulations,  especially  those  that 
affect  security.  For  example,  in  Europe,  the 
information  security  managers  look  to  the 
ISO  27000  series  of  standards  on  informa¬ 
tion  risk  management— particularly  ISO 
27001  and  27002  (formerly  ISO  17799).  The 
latter  standard  focuses  on  security  con¬ 
trols  that  American  security  managers 
would  be  very  familiar  with,  but  the  former 
standard  concentrates  on  the  management 
of  the  Information  Security  Management 
System  (ISMS)  based  on  quality  manage¬ 
ment  principles  taken  from  ISO  9001.  Thus, 
European  security  managers  tend  to  be 
more  concerned  with  quality  management 
requirements  as  an  integral  part  of  security 
(e.g.  demonstrating  processes  that  lead  to 
continual  evaluation  and  improvement). 
This  is  a  notion  that  would  strike  most 
American  security  managers  as  odd— they 
wouldn’t  think  of  evaluating  their  quality 
management  practices  as  an  integral  part 
of  their  overall  security  program. 

Research  and  ask  questions  of  your 
overseas  staff  in  order  to  become  familiar 
with  the  local  customs  and  requirements 
affecting  security.  Do  that,  and  you’ll  be  as 
welcome  among  Europeans  as  the  cavalry 
coming  over  the  hill  to  save  their  wagon 
train  from  attack.  ■ 


Paul  Raines  is  an  American  working  as  a  CISO 
in  Europe. 


38  www.csoonline.com  November  2008 


Platinum  Sponsor 

iPDRTIFY 


to  Our 
Sponsors 


Gold  Sponsors 

FIBERLINK 

Simple.  Secure.  Mobility.  ™ 

loaloaic 
o  o 

O  OUNCE  LABS 

Q  protegrity 

Silver  Sponsors 
cloakware 

datacenter  solutions 


fishnet 

SECURITY 


Guardiurrr 

SAFEGUARDING  DATABASES  ' 


nUBRIDGES’ 


Security 

Innovation* 


THE  APPLICATION  SECURITY  COMPANY 


VERACODE 


Corporate  Partners 

IDENTITY  Aveksa  S>RTIFY 


Netvisiorr  protegrity  ©Sail  Point 


BUSINESS  RISK  LEADERSHIP 


[  debriefing] 

Where  Good  Guys  Finish 


Investment  Bank  CEO  v.  CSO 


BANKER 

CSO 

EDGE 

Pay 

Obscene  piles  of  cash  buffered  by 
preposterously  generous  perks 

Slightly  less  than  the  banker’s  valet 

Banker 

Business  offsite 

One  of  his  Caribbean  islands 

Offsite? 

Banker 

Car 

Chauffeured  Bentley  with  wet  bar,  satel¬ 
lite  TV  and  broadband  Internet  access 

Black  Suburban,  bullet-proof,  tinted  glass, 
reinforced  flanks,  self-repairing  tires  and 
a  sweet  little  purring  V-10  in  the  kitchen 

Push  (CSO  if 
corporate  gas 
card  included) 

Complex  instrument 
of  choice 

Bundle  of  highly  leveraged  mortgage 
securities  swapped  with  other  inves¬ 
tors  without  oversight  to  distribute  risk 
across  multiple  investment  channels 

Nessus 

CSO 

Cool  part  of  the job 

Turns  out  there’s  not  really 
that  much  work  involved 

Taking  out  bad  guys 

CSO 

Worst  part  of  the  job 

Turns  out  they  don’t  really  under¬ 
stand  what  it  is  they  actually  do 

Taking  out  bad  guys  who  work  at  the  firm 

Push 

Understanding  of 
risk 

“We’ve  eliminated  risk  from  banking.” 

“Are  you  serious?” 

CSO 

Vacation 

destination 

Two  words:  Space  plane 

Two  words:  Space  Mountain 

Banker 

Soul 

Sold 

Intact 

CSO 

Next  place  of 
employment 

Prison  laundry 

Consulting  firm 

CSO 

40  www.csoonline.com  November  2008 


.m M 


You  know 
access  points 
Gateways. 
Portals. 

Doors  are 


*WsW 


HID  Giobalj  the  world  leader  in  access  control? 
brings  you  EDGE””  efficient  and  trouble-free 
IP-based  solutions  I©  extend  the  network  I© 
your  company's  doors. 


HID’s  EDGE  access  control  solutions  are  designed  to  fully  leverage  your 
company’s  IT  infrastructure,  eliminating  controllers  and  connecting  easily 
with  a  network  cable  to  each  door.  Simple  to  install  and  administrate, 
EDGE  creates  tangible  cost  savings,  while  using  very  little  bandwidth. 
And,  of  course,  you  also  get  the  security,  reliability  and  support  that  have 
made  us  the  top  name  in  physical  access  control.  EDGE  from  HID.  It’s  a 
natural  move  for  the  network.  We  call  it  bringing  intelligence  to  the  door. 


ACCESS  intelligence. 


Then  buckle  up  and  get  ready  for  some 


(Get  Your  Company  Agile  Enough  To  Grow  In  A  Moment's  Notice) 


Once  your  IT  security  is  doing  everything  you  expect  it  to,  have  it  do  something  no  one  would  ever  expect:  Make  your 
company  more  efficient,  more  flexible  and  more  competitive  than  ever  before.  CA's  approach  to  IT  security  centralizes 
Identity  and  Access  Management  (1AM).  That  means  you  can  deploy  applications  faster  and  more  securely  to  capitalize  on 
market  opportunities.  And  with  best-in-class  modularity,  scalability  and  integration,  CA  security  solutions  enable  growth. 
To  learn  more  about  the  full  potential  of  IT  security,  download  the  latest  white  paper  at  ca.com/secure. 


GOVERN  •  MANAGE  •  SECURE 


Transforming 
®  IT  Management 


